Collecter les journaux Zeek (Bro)
Ce document explique comment déployer Zeek (anciennement Bro) et NXLog avec Google Security Operations pour collecter les journaux Zeek au format JSON. Ce document explique également comment les champs de journal Zeek sont mappés aux champs du modèle de données unifié (UDM) de Google Security Operations.
Pour en savoir plus sur l'ingestion de données dans Google Security Operations, consultez Ingestion de données dans Google Security Operations.
Un libellé d'ingestion identifie l'analyseur qui normalise les données de journal brutes au format UDM structuré. Les informations présentées dans ce document s'appliquent à l'analyseur avec le libellé d'ingestion BRO_JSON.
Avant de commencer
Pour comprendre les composants déployés pour collecter les journaux Zeek, consultez l'architecture de déploiement. Chaque déploiement client peut différer de cette représentation et être plus complexe. Le schéma suivant montre comment configurer un agent NXLog et un transfert Google Security Operations sur un serveur Linux, puis transférer les données de journal vers Google Security Operations.
Vérifiez les versions de Zeek compatibles avec l'analyseur Google Security Operations. L'analyseur Google Security Operations est compatible avec les versions Zeek suivantes:
- Zeek 4.1.0
- Zeek 4.0.1
- Zeek 5.2.0
- Zeek 6.0.0
Avant d'utiliser l'analyseur Zeek, consultez les modifications apportées aux mappages de champs entre l'analyseur précédent et l'analyseur Zeek actuel. Lors de la migration, assurez-vous que les règles, les recherches, les tableaux de bord ou d'autres processus qui dépendent des champs d'origine utilisent les champs mis à jour.
Par exemple, dans la version précédente de l'analyseur, le champ
server_name
est mappé sur le champ UDMtarget.hostname
. Dans l'analyseur Zeek actuel, le champserver_name
est mappé sur le champ UDMnetwork.tls.client.server_name
. Si vous migrez vers l'analyseur Zeek actuel et que vous utilisez le champserver_name
dans vos règles, vous devez modifier les règles pour utiliser le champ UDMnetwork.tls.client.server_name
de l'analyseur actuel.Vérifiez les types de journaux Zeek compatibles avec l'analyseur Google Security Operations. Le tableau suivant répertorie les types de journaux Zeek compatibles avec l'analyseur Google Security Operations:
Type de journal | Description |
Protocoles réseau | Inclut les fichiers journaux des protocoles réseau, tels que le protocole DHCP (Dynamic Host Configuration Protocol) et le système de noms de domaine (DNS). |
Fichiers | Inclut les fichiers journaux suivants: résultats de l'analyse des fichiers, protocole OCSP (Online Certificate Status Protocol), fichier exécutable portable (PE) et certificat X.509. |
NetControl | Inclut les fichiers journaux des actions NetControl et les journaux de débogage OpenFlow. |
Détection | Inclut les fichiers journaux des correspondances de données d'informations, les notifications Zeek, le flux d'alarmes, les correspondances de signature et la détection de traceroute. |
Observations sur le réseau | Inclut les fichiers journaux des certificats SSL, les hôtes ayant terminé les poignées de main TCP, les principaux et les répliques Modbus, les services exécutés sur les hôtes et les logiciels utilisés sur le réseau. |
Si vous ne l'avez pas déjà fait, installez et configurez Zeek. Pour en savoir plus, consultez Installation de Zeek.
Collectez les journaux Zeek au format JSON. Pour en savoir plus, consultez la section Exporter les journaux Zeek au format JSON.
Assurez-vous que tous les systèmes de l'architecture de déploiement sont configurés avec le fuseau horaire UTC.
Configurer NXLog et le forwarder Google Security Operations
- Téléchargez et installez NXLog Community Edition sur la machine Linux sur laquelle s'exécute le redirecteur Google Security Operations.
- Pour en savoir plus sur le téléchargement de NXLog Community Edition, consultez la documentation NXLog.
- Pour en savoir plus sur l'installation des packages et des dépendances NXLog requis, consultez Installer NXLog sur un système Linux.
- Créez un fichier de configuration pour chaque instance NXLog.
Utilisez le module NXLog im_file pour lire le fichier et analyser les lignes en champs. Voici un exemple de configuration NXLog:
LogFile /var/log/nxlog/nxlog.log LogLevel INFO define ZEEK_OUTPUT_DESTINATION_ADDRESS <hostname> define ZEEK_OUTPUT_DESTINATION_PORT <port> <Input conn> Module im_file File '/opt/zeek/logs/current/conn.log' Exec $raw_event= "conn" + ' - ' + $raw_event;; </Input> <Input dce_rpc> Module im_file File '/opt/zeek/logs/current/dce_rpc.log' Exec $raw_event= "dce_rpc" + ' - ' + $raw_event;; </Input> <Output out_chronicle> Module om_tcp Host %ZEEK_OUTPUT_DESTINATION_ADDRESS% Port %ZEEK_OUTPUT_DESTINATION_PORT% </Output> <Route zeek_to_chronicle> Path conn, dce_rpc => out_chronicle </Route>
Pour utiliser l'exemple de configuration précédent, procédez comme suit:
- Remplacez les valeurs
<hostname>
et<port>
par des informations sur le serveur Linux de destination. - Ajoutez des éléments d'entrée, de sortie et de routage pour chaque type de journal Zeek que vous souhaitez collecter.
- Remplacez les valeurs
Configurez le transfert Google Security Operations pour envoyer des journaux à Google Security Operations. Pour en savoir plus, consultez Installer et configurer le forwarder sur Linux. Voici un exemple de configuration de forwarder.
- syslog: common: enabled: true data_type: BRO_JSON batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
Démarrez le service NXLog.
Référence de mappage de champ: champs de journaux Zeek vers champs UDM
Pour comprendre comment l'analyseur Google Security Operations met en correspondance les champs de journal Zeek avec les champs d'événement UDM Google Security Operations pour chaque type de journal Zeek, consultez les sections suivantes:
Protocoles de réseau
Le tableau suivant répertorie les champs de journal du type de journal des protocoles réseau et les champs UDM correspondants.
Champ de journal d'origine | Type de journal | Champ UDM |
---|---|---|
ts | conn.log | metadata.event_timestamp |
uid | conn.log | network.session_id |
id.orig_h | conn.log | principal.ip |
id.orig_p | conn.log | principal.port |
id.resp_h | conn.log | target.ip |
id.resp_p | conn.log | target.port |
proto | conn.log | network.ip_protocol |
service | conn.log | In case of exact match, service is mapped to network.application_protocol. In case of multiple values, service is mapped to additional.fields.key/value. |
duration | conn.log | network.session_duration |
orig_bytes | conn.log | network.sent_bytes |
resp_bytes | conn.log | network.received_bytes |
conn_state | conn.log | metadata.description |
local_orig | conn.log | additional.fields.key/value |
local_resp | conn.log | additional.fields.key/value |
missed_bytes | conn.log | additional.fields.key/value |
history | conn.log | additional.fields.key/value |
orig_pkts | conn.log | additional.fields.key/value |
orig_ip_bytes | conn.log | additional.fields.key/value |
resp_pkts | conn.log | additional.fields.key/value |
resp_ip_bytes | conn.log | additional.fields.key/value |
tunnel_parents | conn.log | additional.fields.key/value |
orig_l2_addr | conn.log | additional.fields.key/value |
resp_l2_addr | conn.log | additional.fields.key/value |
vlan | conn.log | additional.fields.key/value |
inner_vlan | conn.log | additional.fields.key/value |
speculative_service | conn.log | additional.fields.key/value |
ts | dce_rpc.log | metadata.event_timestamp |
uid | dce_rpc.log | network.session_id |
id.orig_h | dce_rpc.log | principal.ip |
id.orig_p | dce_rpc.log | principal.port |
id.resp_h | dce_rpc.log | target.ip |
id.resp_p | dce_rpc.log | target.port |
rtt | dce_rpc.log | additional.fields.key/value |
named_pipe | dce_rpc.log | target.resource.name
Also, target.resource.resource_type is set to "PIPE". |
endpoint | dce_rpc.log | additional.fields.key/value |
operation | dce_rpc.log | additional.fields.key/value |
ts | dhcp.log | metadata.event_timestamp |
uids | dhcp.log | additional.fields.key/value |
client_addr | dhcp.log | target.ip |
server_addr | dhcp.log | principal.ip |
client_port | dhcp.log | target.port |
server_port | dhcp.log | principal.port |
mac | dhcp.log | principal.mac
Machine ID is required for parsing NETWORK_DHCP events. |
host_name | dhcp.log | network.dhcp.client_hostname |
client_fqdn | dhcp.log | target.hostname |
domain | dhcp.log | target.administrative_domain |
requested_addr | dhcp.log | network.dhcp.requested_address |
assigned_addr | dhcp.log | network.dhcp.yiaddr |
lease_time | dhcp.log | network.dhcp.lease_time_seconds |
client_message | dhcp.log | additional.fields.key/value |
server_message | dhcp.log | additional.fields.key/value |
msg_types | dhcp.log | additional.fields.key/value
The log that Zeek produces is a collection of DORA messages in a single log. |
duration | dhcp.log | network.dhcp.seconds |
client_chaddr | dhcp.log | network.dhcp.chaddr |
msg_orig | dhcp.log | additional.fields.key/value |
client_software | dhcp.log | additional.fields.key/value |
server_software | dhcp.log | additional.fields.key/value |
circuit_id | dhcp.log | additional.fields.key/value |
agent_remote_id | dhcp.log | additional.fields.key/value |
subscriber_id | dhcp.log | additional.fields.key/value |
ts | dnp3.log | metadata.event_timestamp |
uid | dnp3.log | network.session_id |
id.orig_h | dnp3.log | principal.ip |
id.orig_p | dnp3.log | principal.port |
id.resp_h | dnp3.log | target.ip |
id.resp_p | dnp3.log | target.port |
fc_request | dnp3.log | additional.fields.key/value |
fc_reply | dnp3.log | additional.fields.key/value |
iin | dnp3.log | additional.fields.key/value |
ts | dns.log | metadata.event_timestamp |
uid | dns.log | network.session_id |
id.orig_h | dns.log | principal.ip |
id.orig_p | dns.log | principal.port |
id.resp_h | dns.log | target.ip |
id.resp_p | dns.log | target.port |
proto | dns.log | network.ip_protocol |
trans_id | dns.log | network.dns.id |
rtt | dns.log | additional.fields.key/value |
query | dns.log | network.dns.questions.name |
qclass | dns.log | network.dns.questions.class |
qclass_name | dns.log | additional.fields.key/value |
qtype | dns.log | network.dns.questions.type |
qtype_name | dns.log | additional.fields.key/value |
rcode | dns.log | network,dns.response_code |
rcode_name | dns.log | additional.fields.key/value |
AA | dns.log | network.dns.authoritative |
TC | dns.log | network.dns.truncated |
RD | dns.log | network.dns.recursion_desired |
RA | dns.log | network.dns.recursion_available |
Z | dns.log | additional.fields.key/value |
answers | dns.log | network.dns.answers.data |
TTLs | dns.log | network.dns.answers.ttl |
rejected | dns.log | additional.fields.key/value |
total_answers | dns.log | additional.fields.key/value |
total_replies | dns.log | additional.fields.key/value |
saw_query | dns.log | additional.fields.key/value |
saw_reply | dns.log | additional.fields.key/value |
auth | dns.log | network.dns.authority.data |
addl | dns.log | network.dns.additional.data |
original_query | dns.log | additional.fields.key/value |
ts | ftp.log | metadata.event_timestamp |
uid | ftp.log | network.session_id |
id.orig_h | ftp.log | principal.ip |
id.orig_p | ftp.log | principal.port |
id.resp_h | ftp.log | target.ip |
id.resp_p | ftp.log | target.port |
user | ftp.log | principal.user.userid |
command | ftp.log | network.ftp.command |
arg | ftp.log | additional.fields.key/value |
mime_type | ftp.log | src.file.mime_type |
file_size | ftp.log | src.file.size |
reply_code | ftp.log | additional.fields.key/value |
reply_msg | ftp.log | additional.fields.key/value |
data_channel.passive | ftp.log | additional.fields.key/value |
data_channel.orig_h | ftp.log | additional.fields.key/value |
data_channel.resp_h | ftp.log | additional.fields.key/value |
data_channel.resp_p | ftp.log | additional.fields.key/value |
cwd | ftp.log | src.file.full_path |
cmdarg.ts | ftp.log | additional.fields.key/value |
cmdarg.cmd | ftp.log | additional.fields.key/value |
cmdarg.arg | ftp.log | additional.fields.key/value |
cmdarg.seq | ftp.log | additional.fields.key/value |
pending_commands | ftp.log | additional.fields.key/value |
passive | ftp.log | additional.fields.key/value |
capture_password | ftp.log | additional.fields.key/value |
fuid | ftp.log | additional.fields.key/value |
last_auth_requested | ftp.log | additional.fields.key/value |
ts | http.log | metadata.event_timestamp |
uid | http.log | network.session_id |
id.orig_h | http.log | principal.ip |
id.orig_p | http.log | principal.port |
id.resp_h | http.log | target.ip |
id.resp_p | http.log | target.port |
trans_depth | http.log | additional.fields.key/value |
method | http.log | network.http.method |
host | http.log | target.hostname |
uri | http.log | target.url is set to "%{host}%{uri}" |
referrer | http.log | network.http.referral_url |
version | http.log | additional.fields.key/value |
user_agent | http.log | network.http.user_agent |
origin | http.log | additional.fields.key/value |
request_body_len | http.log | additional.fields.key/value |
response_body_len | http.log | additional.fields.key/value |
status_code | http.log | network.http.response_code |
status_msg | http.log | additional.fields.key/value |
info_code | http.log | additional.fields.key/value |
info_msg | http.log | additional.fields.key/value |
tags | http.log | additional.fields.key/value |
username | http.log | principal.user.userid |
capture_password | http.log | additional.fields.key/value |
proxied | http.log | additional.fields.key/value |
range_request | http.log | additional.fields.key/value |
orig_fuids | http.log | additional.fields.key/value |
orig_filenames | http.log | additional.fields.key/value |
orig_mime_types | http.log | additional.fields.key/value |
resp_fuids | http.log | additional.fields.key/value |
resp_filenames | http.log | additional.fields.key/value |
resp_mime_types | http.log | additional.fields.key/value |
current_entity | http.log | additional.fields.key/value |
orig_mime_depth | http.log | additional.fields.key/value |
resp_mime_depth | http.log | additional.fields.key/value |
client_header_names | http.log | additional.fields.key/value |
server_header_names | http.log | additional.fields.key/value |
omniture | http.log | additional.fields.key/value |
flash_version | http.log | additional.fields.key/value |
cookie_vars | http.log | additional.fields.key/value |
uri_vars | http.log | additional.fields.key/value |
ts | irc.log | metadata.event_timestamp |
uid | irc.log | network.session_id |
id.orig_h | irc.log | principal.ip |
id.orig_p | irc.log | principal.port |
id.resp_h | irc.log | target.ip |
id.resp_p | irc.log | target.port |
nick | irc.log | additional.fields.key/value |
user | irc.log | principal.user.userid |
command | irc.log | principal.process.command_line |
value | irc.log | additional.fields.key/value |
addl | irc.log | additional.fields.key/value |
dcc_file_name | irc.log | additional.fields.key/value |
dcc_file_size | irc.log | src.file.size |
dcc_mime_type | irc.log | src.file.mime_type |
fuid | irc.log | additional.fields.key/value |
ts | kerberos.log | metadata.event_timestamp |
uid | kerberos.log | network.session_id |
id.orig_h | kerberos.log | principal.ip |
id.orig_p | kerberos.log | principal.port |
id.resp_h | kerberos.log | target.ip |
id.resp_p | kerberos.log | target.port |
request_type | kerberos.log | additional.fields.key/value |
client | kerberos.log | additional.fields.key/value |
service | kerberos.log | additional.fields.key/value |
success | kerberos.log | additional.fields.key/value |
error_code | kerberos.log | additional.fields.key/value |
error_msg | kerberos.log | metadata.description is set to "KERBEROS: %{error_msg}" |
from | kerberos.log | additional.fields.key/value |
till | kerberos.log | additional.fields.key/value |
cipher | kerberos.log | network.tls.cipher |
forwardable | kerberos.log | additional.fields.key/value |
renewable | kerberos.log | additional.fields.key/value |
logged | kerberos.log | additional.fields.key/value |
client_cert.ts | kerberos.log | additional.fields.key/value |
client_cert.fuid | kerberos.log | additional.fields.key/value |
client_cert.tx_hosts | kerberos.log | additional.fields.key/value |
client_cert.rx_hosts | kerberos.log | additional.fields.key/value |
client_cert.conn_uids | kerberos.log | additional.fields.key/value |
client_cert.source | kerberos.log | additional.fields.key/value |
client_cert.depth | kerberos.log | additional.fields.key/value |
client_cert.analyzers | kerberos.log | additional.fields.key/value |
client_cert.mime_type | kerberos.log | additional.fields.key/value |
client_cert.filename | kerberos.log | additional.fields.key/value |
client_cert.duration | kerberos.log | additional.fields.key/value |
client_cert.local_orig | kerberos.log | additional.fields.key/value |
client_cert.is_orig | kerberos.log | additional.fields.key/value |
client_cert.seen_bytes | kerberos.log | additional.fields.key/value |
client_cert.total_bytes | kerberos.log | additional.fields.key/value |
client_cert.missing_bytes | kerberos.log | additional.fields.key/value |
client_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
client_cert.timedout | kerberos.log | additional.fields.key/value |
client_cert.parent_fuid | kerberos.log | additional.fields.key/value |
client_cert.md5 | kerberos.log | network.tls.client.certificate.md5 |
client_cert.sha1 | kerberos.log | network.tls.client.certificate.sha1 |
client_cert.sha256 | kerberos.log | network.tls.client.certificate.sha256 |
client_cert.x509.ts | kerberos.log | additional.fields.key/value |
client_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.version | kerberos.log | network.tls.client.certificate.version |
client_cert.x509.certificate.serial | kerberos.log | network.tls.client.certificate.serial |
client_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.issuer | kerberos.log | network.tls.client.certificate.issuer |
client_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
client_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
client_cert.x509.handle | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
client_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
client_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
client_cert.x509.san.email | kerberos.log | additional.fields.key/value |
client_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
client_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
client_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
client_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
client_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
client_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
client_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
client_cert.x509.cert | kerberos.log | additional.fields.key/value |
client_cert.extracted | kerberos.log | additional.fields.key/value |
client_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
client_cert.extracted_size | kerberos.log | additional.fields.key/value |
client_cert.entropy | kerberos.log | additional.fields.key/value |
client_cert_subject | kerberos.log | network.tls.client.certificate.subject |
client_cert_fuid | kerberos.log | additional.fields.key/value |
server_cert.ts | kerberos.log | additional.fields.key/value |
server_cert.fuid | kerberos.log | additional.fields.key/value |
server_cert.tx_hosts | kerberos.log | additional.fields.key/value |
server_cert.rx_hosts | kerberos.log | additional.fields.key/value |
server_cert.conn_uids | kerberos.log | additional.fields.key/value |
server_cert.source | kerberos.log | additional.fields.key/value |
server_cert.depth | kerberos.log | additional.fields.key/value |
server_cert.analyzers | kerberos.log | additional.fields.key/value |
server_cert.mime_type | kerberos.log | additional.fields.key/value |
server_cert.filename | kerberos.log | additional.fields.key/value |
server_cert.duration | kerberos.log | additional.fields.key/value |
server_cert.local_orig | kerberos.log | additional.fields.key/value |
server_cert.is_orig | kerberos.log | additional.fields.key/value |
server_cert.seen_bytes | kerberos.log | additional.fields.key/value |
server_cert.total_bytes | kerberos.log | additional.fields.key/value |
server_cert.missing_bytes | kerberos.log | additional.fields.key/value |
server_cert.overflow_bytes | kerberos.log | additional.fields.key/value |
server_cert.timedout | kerberos.log | additional.fields.key/value |
server_cert.parent_fuid | kerberos.log | additional.fields.key/value |
server_cert.md5 | kerberos.log | network.tls.server.certificate.md5 |
server_cert.sha1 | kerberos.log | network.tls.server.certificate.sha1 |
server_cert.sha256 | kerberos.log | network.tls.server.certificate.sha256 |
server_cert.x509.ts | kerberos.log | additional.fields.key/value |
server_cert.x509.fingerprint | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.version | kerberos.log | network.tls.server.certificate.version |
server_cert.x509.certificate.serial | kerberos.log | network.tls.server.certificate.serial |
server_cert.x509.certificate.subject | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.issuer | kerberos.log | network.tls.server.certificate.issuer |
server_cert.x509.certificate.cn | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.not_valid_before | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.not_valid_after | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_alg | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.sig_alg | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_type | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.key_length | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.exponent | kerberos.log | additional.fields.key/value |
server_cert.x509.certificate.curve | kerberos.log | additional.fields.key/value |
server_cert.x509.handle | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.name | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.short_name | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.oid | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.critical | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions.value | kerberos.log | additional.fields.key/value |
server_cert.x509.san.dns | kerberos.log | additional.fields.key/value |
server_cert.x509.san.uri | kerberos.log | additional.fields.key/value |
server_cert.x509.san.email | kerberos.log | additional.fields.key/value |
server_cert.x509.san.ip | kerberos.log | additional.fields.key/value |
server_cert.x509.san.other_fields | kerberos.log | additional.fields.key/value |
server_cert.x509.basic_constraints.ca | kerberos.log | additional.fields.key/value |
server_cert.x509.basic_constraints.path_len | kerberos.log | additional.fields.key/value |
server_cert.x509.extensions_cache | kerberos.log | additional.fields.key/value |
server_cert.x509.host_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.client_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.fingerprint | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.host_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.deduplication_index.client_cert | kerberos.log | additional.fields.key/value |
server_cert.x509.always_raise_x509_events | kerberos.log | additional.fields.key/value |
server_cert.x509.cert | kerberos.log | additional.fields.key/value |
server_cert.extracted | kerberos.log | additional.fields.key/value |
server_cert.extracted_cutoff | kerberos.log | additional.fields.key/value |
server_cert.extracted_size | kerberos.log | additional.fields.key/value |
server_cert.entropy | kerberos.log | additional.fields.key/value |
server_cert_subject | kerberos.log | network.tls.server.certificate.subject |
server_cert_fuid | kerberos.log | additional.fields.key/value |
auth_ticket | kerberos.log | additional.fields.key/value |
new_ticket | kerberos.log | additional.fields.key/value |
ts | modbus.log | metadata.event_timestamp |
uid | modbus.log | network.session_id |
id.orig_h | modbus.log | principal.ip |
id.orig_p | modbus.log | principal.port |
id.resp_h | modbus.log | target.ip |
id.resp_p | modbus.log | target.port |
func | modbus.log | additional.fields.key/value |
exception | modbus.log | additional.fields.key/value |
track_address | modbus.log | additional.fields.key/value |
ts | modbus_register_change.log | metadata.event_timestamp |
uid | modbus_register_change.log | network.session_id |
id.orig_h | modbus_register_change.log | principal.ip |
id.orig_p | modbus_register_change.log | principal.port |
id.resp_h | modbus_register_change.log | target.ip |
id.resp_p | modbus_register_change.log | target.port |
register | modbus_register_change.log | additional.fields.key/value |
old_val | modbus_register_change.log | additional.fields.key/value |
new_val | modbus_register_change.log | additional.fields.key/value |
delta | modbus_register_change.log | additional.fields.key/value |
ts | mysql.log | metadata.event_timestamp |
uid | mysql.log | network.session_id |
id.orig_h | mysql.log | principal.ip |
id.orig_p | mysql.log | principal.port |
id.resp_h | mysql.log | target.ip |
id.resp_p | mysql.log | target.port |
cmd | mysql.log | metadata.description |
arg | mysql.log | principal.process.command_line |
success | mysql.log |
If the value of success is "T" or "true," security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed." If the value of success is not "T" or "true," security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed." |
rows | mysql.log | security_result.description is set to "Affected rows: %{rows}". If the log type is "mysql.log", the additional field security_result.severity is set to "INFORMATIONAL". |
response | mysql.log | additional.fields.key/value |
ts | ntlm.log | metadata.event_timestamp |
uid | ntlm.log | network.session_id |
id.orig_h | ntlm.log | principal.ip |
id.orig_p | ntlm.log | principal.port |
id.resp_h | ntlm.log | target.ip |
id.resp_p | ntlm.log | target.port |
username | ntlm.log | principal.user.userid |
hostname | ntlm.log | principal.hostname |
domainname | ntlm.log | principal.administrative_domain |
server_nb_computer_name | ntlm.log | additional.fields.key/value |
server_dns_computer_name | ntlm.log | target.hostname |
server_tree_name | ntlm.log | additional.fields.key/value |
success | ntlm.log |
If the value of success is "T" or "true", security_result.action is set to "ALLOW" and security_result.summary is set to "Query successfully executed". If the value of success is not "T" or "true", security_result.action is set to "BLOCK" and security_result.summary is set to "Query execution failed". |
done | ntlm.log | additional.fields.key/value |
ts | ntp.log | metadata.event_timestamp |
uid | ntp.log | network.session_id |
id.orig_h | ntp.log | principal.ip |
id.orig_p | ntp.log | principal.port |
id.resp_h | ntp.log | target.ip |
id.resp_p | ntp.log | target.port |
version | ntp.log | additional.fields.key/value |
mode | ntp.log | additional.fields.key/value |
stratum | ntp.log | additional.fields.key/value |
poll | ntp.log | additional.fields.key/value |
precision | ntp.log | additional.fields.key/value |
root_delay | ntp.log | additional.fields.key/value |
root_disp | ntp.log | additional.fields.key/value |
ref_id | ntp.log | additional.fields.key/value |
ref_time | ntp.log | additional.fields.key/value |
org_time | ntp.log | additional.fields.key/value |
rec_time | ntp.log | additional.fields.key/value |
xmt_time | ntp.log | additional.fields.key/value |
num_exts | ntp.log | additional.fields.key/value |
ts | radius.log | metadata.event_timestamp |
uid | radius.log | network.session_id |
id.orig_h | radius.log | principal.ip |
id.orig_p | radius.log | principal.port |
id.resp_h | radius.log | target.ip |
id.resp_p | radius.log | target.port |
username | radius.log | principal.user.userid |
mac | radius.log | principal.mac |
framed_addr | radius.log | additional.fields.key/value |
tunnel_client | radius.log | additional.fields.key/value |
connect_info | radius.log | additional.fields.key/value |
reply_msg | radius.log | additional.fields.key/value |
result | radius.log | If the log type is "radius.log", the following fields are set:
If the value of the "result" field is "success", security_result.action is set to "ALLOW" and security_result.summary is set to "User login successful". If the value of "result" field is "failed", security_result.action is set to "BLOCK" and security_result.summary is set to "User login failed". |
ttl | radius.log | additional.fields.key/value |
logged | radius.log | additional.fields.key/value |
ts | rdp.log | metadata.event_timestamp |
uid | rdp.log | network.session_id |
id.orig_h | rdp.log | principal.ip |
id.orig_p | rdp.log | principal.port |
id.resp_h | rdp.log | target.ip |
id.resp_p | rdp.log | target.port |
cookie | rdp.log | principal.user.userid |
result | rdp.log | security_result.severity is set to "INFORMATIONAL". security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
security_protocol | rdp.log | security_result.description is set to "%{result} connection with security protocol %{security_protocol}". |
client_channels | rdp.log | additional.fields.key/value |
keyboard_layout | rdp.log | additional.fields.key/value |
client_build | rdp.log | principal.asset.platform_software.platform_version |
client_name | rdp.log | additional.fields.key/value |
client_dig_product_id | rdp.log | principal.asset.asset_id |
desktop_width | rdp.log | additional.fields.key/value |
desktop_height | rdp.log | additional.fields.key/value |
requested_color_depth | rdp.log | additional.fields.key/value |
cert_type | rdp.log | additional.fields.key/value |
cert_count | rdp.log | additional.fields.key/value |
cert_permanent | rdp.log | additional.fields.key/value |
encryption_level | rdp.log | additional.fields.key/value |
encryption_method | rdp.log | additional.fields.key/value |
analyzer_id | rdp.log | additional.fields.key/value |
done | rdp.log | additional.fields.key/value |
ssl | rdp.log | additional.fields.key/value |
ts | rfb.log | metadata.event_timestamp |
uid | rfb.log | network.session_id |
id.orig_h | rfb.log | principal.ip |
id.orig_p | rfb.log | principal.port |
id.resp_h | rfb.log | target.ip |
id.resp_p | rfb.log | target.port |
client_major_version | rfb.log | additional.fields.key/value |
client_minor_version | rfb.log | additional.fields.key/value |
server_major_version | rfb.log | additional.fields.key/value |
server_minor_version | rfb.log | additional.fields.key/value |
authentication_method | rfb.log | additional.fields.key/value |
auth | rfb.log | additional.fields.key/value |
share_flag | rfb.log | additional.fields.key/value |
desktop_name | rfb.log | target.asset.hostname |
width | rfb.log | additional.fields.key/value |
height | rfb.log | additional.fields.key/value |
done | rfb.log | additional.fields.key/value |
ts | sip.log | metadata.event_timestamp |
uid | sip.log | network.session_id
Also, network.application_protocol is set to "SIP". |
id.orig_h | sip.log | principal.ip |
id.orig_p | sip.log | principal.port |
id.resp_h | sip.log | target.ip |
id.resp_p | sip.log | target.port |
trans_depth | sip.log | additional.fields.key/value |
method | sip.log | metadata.description |
uri | sip.log | about.url |
date | sip.log | additional.fields.key/value |
request_from | sip.log | principal.user.userid and principal.user.user_display_name |
request_to | sip.log | target.user.userid and target.user.user_display_name |
response_from | sip.log | additional.fields.key/value |
response_to | sip.log | additional.fields.key/value |
reply_to | sip.log | additional.fields.key/value |
call_id | sip.log | network.session_id |
seq | sip.log | additional.fields.key/value |
subject | sip.log | additional.fields.key/value |
request_path | sip.log | additional.fields.key/value |
response_path | sip.log | additional.fields.key/value |
user_agent | sip.log | additional.fields.key/value |
status_code | sip.log | security_result.summary is set to "Status Code: %{status_code}". |
status_msg | sip.log | security_result.description |
warning | sip.log | additional.fields.key/value |
request_body_len | sip.log | network.sent_bytes |
response_body_len | sip.log | network.received_bytes |
content_type | sip.log | additional.fields.key/value |
ts | smb_cmd.log | metadata.event_timestamp |
uid | smb_cmd.log | network.session_id |
id.orig_h | smb_cmd.log | principal.ip |
id.orig_p | smb_cmd.log | principal.port |
id.resp_h | smb_cmd.log | target.ip |
id.resp_p | smb_cmd.log | target.port |
command | smb_cmd.log | principal.process.command_line |
sub_command | smb_cmd.log | additional.fields.key/value |
argument | smb_cmd.log | additional.fields.key/value |
status | smb_cmd.log | additional.fields.key/value |
rtt | smb_cmd.log | additional.fields.key/value |
version | smb_cmd.log | metadata.product_version |
username | smb_cmd.log | principal.user.userid |
tree | smb_cmd.log | additional.fields.key/value |
tree_service | smb_cmd.log | additional.fields.key/value |
smb1_offered_dialects | smb_cmd.log | additional.fields.key/value |
smb2_offered_dialects | smb_cmd.log | additional.fields.key/value |
ts | smb_files.log | metadata.event_timestamp |
uid | smb_files.log | network.session_id |
id.orig_h | smb_files.log | principal.ip |
id.orig_p | smb_files.log | principal.port |
id.resp_h | smb_files.log | target.ip |
id.resp_p | smb_files.log | target.port |
fuid | smb_files.log | additional.fields.key/value |
action | smb_files.log | metadata.description is set to "action: %{action} on: %{name}". |
path | smb_files.log | target.file.full_path |
name | smb_files.log | additional.fields.key/value |
size | smb_files.log | target.file.size |
prev_name | smb_files.log | additional.fields.key/value |
times.modified | smb_files.log | additional.fields.key/value |
times.modified_raw | smb_files.log | additional.fields.key/value |
times.accessed | smb_files.log | additional.fields.key/value |
times.accessed_raw | smb_files.log | additional.fields.key/value |
times.created | smb_files.log | additional.fields.key/value |
times.created_raw | smb_files.log | additional.fields.key/value |
times.changed | smb_files.log | additional.fields.key/value |
times.changed_raw | smb_files.log | additional.fields.key/value |
fid | smb_files.log | additional.fields.key/value |
uuid | smb_files.log | additional.fields.key/value |
ts | smb_mapping.log | metadata.event_timestamp |
uid | smb_mapping.log | network.session_id |
id.orig_h | smb_mapping.log | principal.ip |
id.orig_p | smb_mapping.log | principal.port |
id.resp_h | smb_mapping.log | target.ip |
id.resp_p | smb_mapping.log | target.port |
path | smb_mapping.log | target.file.full_path |
service | smb_mapping.log | target.application |
native_file_system | smb_mapping.log | additional.fields.key/value |
share_type | smb_mapping.log | target.resource.resource_type |
ts | smtp.log | metadata.event_timestamp |
uid | smtp.log | network.session_id |
id.orig_h | smtp.log | principal.ip |
id.orig_p | smtp.log | principal.port |
id.resp_h | smtp.log | target.ip |
id.resp_p | smtp.log | target.port |
trans_depth | smtp.log | additional.fields.key/value |
helo | smtp.log | additional.fields.key/value |
mailfrom | smtp.log | additional.fields.key/value |
rcptto | smtp.log | additional.fields.key/value |
date | smtp.log | additional.fields.key/value |
from | smtp.log | network.email.from |
to | smtp.log | email.to |
cc | smtp.log | network.email.cc |
reply_to | smtp.log | email.reply_to |
msg_id | smtp.log | email.mail_id |
in_reply_to | smtp.log | additional.fields.key/value |
subject | smtp.log | email.subject |
x_originating_ip | smtp.log | additional.fields.key/value |
first_received | smtp.log | additional.fields.key/value |
second_received | smtp.log | additional.fields.key/value |
last_reply | smtp.log | additional.fields.key/value |
path | smtp.log | additional.fields.key/value |
user_agent | smtp.log | additional.fields.key/value |
tls | smtp.log | network.tls.established |
process_received_from | smtp.log | additional.fields.key/value |
has_client_activity | smtp.log | additional.fields.key/value |
process_smtp_headers | smtp.log | additional.fields.key/value |
entity.filename | smtp.log | additional.fields.key/value |
entity.excerpt | smtp.log | additional.fields.key/value |
fuids | smtp.log | additional.fields.key/value |
is_webmail | smtp.log | additional.fields.key/value |
ts | snmp.log | metadata.event_timestamp |
uid | snmp.log | network.session_id |
id.orig_h | snmp.log | principal.ip |
id.orig_p | snmp.log | principal.port |
id.resp_h | snmp.log | target.ip |
id.resp_p | snmp.log | target.port |
duration | snmp.log | network.session_duration |
version | snmp.log | metadata.product_version |
community | snmp.log | network.community_id |
get_requests | snmp.log | additional.fields.key/value |
get_bulk_requests | snmp.log | additional.fields.key/value |
get_responses | snmp.log | additional.fields.key/value |
set_requests | snmp.log | additional.fields.key/value |
display_string | snmp.log | metadata.description |
up_since | snmp.log | additional.fields.key/value |
ts | socks.log | metadata.event_timestamp |
uid | socks.log | network.session_id |
id.orig_h | socks.log | principal.ip |
id.orig_p | socks.log | principal.port |
id.resp_h | socks.log | target.ip |
id.resp_p | socks.log | target.port |
version | socks.log | additional.fields.key/value |
user | socks.log | principal.user.userid |
status | socks.log | additional.fields.key/value |
request.host | socks.log | principal.hostname |
request.name | socks.log | additional.fields.key/value |
request_p | socks.log | additional.fields.key/value |
bound.host | socks.log | additional.fields.key/value |
bound.name | socks.log | additional.fields.key/value |
bound_p | socks.log | additional.fields.key/value |
capture_password | socks.log | additional.fields.key/value |
ts | ssh.log | metadata.event_timestamp |
uid | ssh.log | network.session_id |
id.orig_h | ssh.log | principal.ip |
id.orig_p | ssh.log | principal.port |
id.resp_h | ssh.log | target.ip |
id.resp_p | ssh.log | target.port |
version | ssh.log | metadata.product_version |
auth_success | ssh.log | additional.fields.key/value |
auth_attempts | ssh.log | security_result.description is set to "%{auth_attempts} successful SSH authentication attempts were observed". |
direction | ssh.log | network.direction |
client | ssh.log | principal.platform_version |
server | ssh.log | target.platform_version |
cipher_alg | ssh.log | additional.fields.key/value |
mac_alg | ssh.log | additional.fields.key/value |
compression_alg | ssh.log | additional.fields.key/value |
kex_alg | ssh.log | additional.fields.key/value |
host_key_alg | ssh.log | additional.fields.key/value |
host_key | ssh.log | additional.fields.key/value |
logged | ssh.log | additional.fields.key/value |
capabilities.kex_algorithms | ssh.log | additional.fields.key/value |
capabilities.server_host_key_algorithms | ssh.log | additional.fields.key/value |
capabilities.encryption_algorithms | ssh.log | additional.fields.key/value |
capabilities.mac_algorithms | ssh.log | additional.fields.key/value |
capabilities.compression_algorithms | ssh.log | additional.fields.key/value |
capabilities.languages.client_to_server | ssh.log | additional.fields.key/value |
capabilities.languages.server_to_client | ssh.log | additional.fields.key/value |
capabilities.is_server | ssh.log | additional.fields.key/value |
analyzer_id | ssh.log | additional.fields.key/value |
remote_location.country_code | ssh.log | additional.fields.key/value |
remote_location.region | ssh.log | target.asset.location.country_or_region |
remote_location.city | ssh.log | target.asset.location.city |
remote_location.latitude | ssh.log | additional.fields.key/value |
remote_location.longitude | ssh.log | additional.fields.key/value |
ts | ssl.log | metadata.event_timestamp |
uid | ssl.log | metadata.product_log_id |
id.orig_h | ssl.log | principal.ip |
id.orig_p | ssl.log | principal.port |
id.resp_h | ssl.log | target.ip |
id.resp_p | ssl.log | target.port |
version_num | ssl.log | additional.fields.key/value |
version | ssl.log | network.tls.version |
cipher | ssl.log | network.tls.cipher |
curve | ssl.log | network.tls.curve |
server_name | ssl.log | network.tls.client.server_name |
session_id | ssl.log | network.session_id |
resumed | ssl.log | network.tls.resumed |
client_ticket_empty_session_seen | ssl.log | additional.fields.key/value |
client_key_exchange_seen | ssl.log | additional.fields.key/value |
client_psk_seen | ssl.log | additional.fields.key/value |
last_alert | ssl.log | additional.fields.key/value |
next_protocol | ssl.log | network.tls.next_protocol |
analyzer_id | ssl.log | additional.fields.key/value |
established | ssl.log | network.tls.established |
logged | ssl.log | additional.fields.key/value |
ssl_history | ssl.log | additional.fields.key/value |
cert_chain_fps | ssl.log | additional.fields.key/value |
client_cert_chain_fps | ssl.log | additional.fields.key/value |
subject | ssl.log | network.tls.server.certificate.subject |
issuer | ssl.log | network.tls.server.certificate.issuer |
client_subject | ssl.log | network.tls.client.certificate.subject |
client_issuer | ssl.log | network.tls.client.certificate.issuer |
sni_matches_cert | ssl.log | additional.fields.key/value |
server_depth | ssl.log | additional.fields.key/value |
client_depth | ssl.log | additional.fields.key/value |
always_raise_x509_events | ssl.log | additional.fields.key/value |
last_originator_heartbeat_request_size | ssl.log | additional.fields.key/value |
last_responder_heartbeat_request_size | ssl.log | additional.fields.key/value |
originator_heartbeats | ssl.log | additional.fields.key/value |
responder_heartbeats | ssl.log | additional.fields.key/value |
heartbleed_detected | ssl.log | additional.fields.key/value |
enc_appdata_packages | ssl.log | additional.fields.key/value |
enc_appdata_bytes | ssl.log | additional.fields.key/value |
server_version | ssl.log | additional.fields.key/value |
client_version | ssl.log | additional.fields.key/value |
client_ciphers | ssl.log | network.tls.client.supported_ciphers |
ssl_client_exts | ssl.log | additional.fields.key/value |
ssl_server_exts | ssl.log | additional.fields.key/value |
ticket_lifetime_hint | ssl.log | additional.fields.key/value |
dh_param_size | ssl.log | additional.fields.key/value |
point_formats | ssl.log | additional.fields.key/value |
client_curves | ssl.log | additional.fields.key/value |
orig_alpn | ssl.log | additional.fields.key/value |
client_supported_versions | ssl.log | additional.fields.key/value |
server_supported_version | ssl.log | additional.fields.key/value |
psk_key_exchange_modes | ssl.log | additional.fields.key/value |
client_key_share_groups | ssl.log | additional.fields.key/value |
server_key_share_group | ssl.log | additional.fields.key/value |
client_comp_methods | ssl.log | additional.fields.key/value |
comp_method | ssl.log | additional.fields.key/value |
sigalgs | ssl.log | additional.fields.key/value |
hashalgs | ssl.log | additional.fields.key/value |
validation_status | ssl.log | additional.fields.key/value |
validation_code | ssl.log | additional.fields.key/value |
valid_chain | ssl.log | additional.fields.key/value |
ocsp_status | ssl.log | additional.fields.key/value |
ocsp_response | ssl.log | additional.fields.key/value |
valid_scts | ssl.log | additional.fields.key/value |
invalid_scts | ssl.log | additional.fields.key/value |
valid_ct_logs | ssl.log | additional.fields.key/value |
valid_ct_operators | ssl.log | additional.fields.key/value |
valid_ct_operators_list | ssl.log | additional.fields.key/value |
ct_proofs | ssl.log | additional.fields.key/value |
notary.first_seen | ssl.log | additional.fields.key/value |
notary.last_seen | ssl.log | additional.fields.key/value |
notary.times_seen | ssl.log | additional.fields.key/value |
notary.valid | ssl.log | additional.fields.key/value |
ts | syslog.log | metadata.event_timestamp |
uid | syslog.log | network.session_id |
id.orig_h | syslog.log | principal.ip |
id.orig_p | syslog.log | principal.port |
id.resp_h | syslog.log | target.ip |
id.resp_p | syslog.log | target.port |
proto | syslog.log | network.ip_protocol |
facility | syslog.log | additional.fields.key/value |
severity | syslog.log | security_result.severity_details |
message | syslog.log | metadata.description |
ts | tunnel.log | metadata.event_timestamp |
uid | tunnel.log | network.session_id |
id.orig_h | tunnel.log | principal.ip |
id.orig_p | tunnel.log | principal.port |
id.resp_h | tunnel.log | target.ip |
id.resp_p | tunnel.log | target.port |
tunnel_type | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
action | tunnel.log | security_result.description is set to "action %{action} on tunnel type {tunnel_type}". |
Fichiers
Le tableau suivant répertorie les champs de journal du type de journal des fichiers et leurs champs UDM correspondants.
Champ de journal d'origine | Type de journal | Champ UDM |
---|---|---|
ts | files.log | metadata.event_timestamp |
fuid | files.log | metadata.product_log_id |
tx_hosts | files.log | principal.ip |
rx_hosts | files.log | target.ip |
conn_uids | files.log | additional.fields.key/value |
source | files.log | network.application_protocol
target.file.full_path |
depth | files.log | additional.fields.key/value |
analyzers | files.log | additional.fields.key/value |
mime_type | files.log | target.file.mime_type |
filename | files.log | target.file.full_path |
duration | files.log | additional.fields.key/value |
local_orig | files.log | additional.fields.key/value |
is_orig | files.log | additional.fields.key/value |
seen_bytes | files.log | target.file.size |
total_bytes | files.log | additional.fields.key/value |
missing_bytes | files.log | additional.fields.key/value |
overflow_bytes | files.log | additional.fields.key/value |
timedout | files.log | additional.fields.key/value |
parent_fuid | files.log | additional.fields.key/value |
md5 | files.log | target.file.md5 |
sha1 | files.log | target.file.sha1 |
sha256 | files.log | target.file.sha256 |
md5 | files.log | network.tls.client.certificate.md5 |
sha1 | files.log | network.tls.client.certificate.sha1 |
sha256 | files.log | network.tls.client.certificate.sha256 |
md5 | files.log | network.tls.server.certificate.md5 |
sha1 | files.log | network.tls.server.certificate.sha1 |
sha256 | files.log | network.tls.server.certificate.sha256 |
x509 | files.log | additional.fields.key/value
This field is a nested field. |
extracted | files.log | additional.fields.key/value |
extracted_cutoff | files.log | additional.fields.key/value |
extracted_size | files.log | additional.fields.key/value |
entropy | files.log | additional.fields.key/value |
ts | ocsp.log | metadata.event_timestamp |
id | ocsp.log | metadata.product_log_id |
hashAlgorithm | ocsp.log | additional.fields.key/value |
issuerNameHash | ocsp.log | additional.fields.key/value |
issuerKeyHash | ocsp.log | additional.fields.key/value |
serialNumber | ocsp.log | tls.server.certificate.serial |
certStatus | ocsp.log | additional.fields.key/value |
revoketime | ocsp.log | network.tls.server.certificate.not_after |
revokereason | ocsp.log | security_result.summary |
thisUpdate | ocsp.log | additional.fields.key/value |
nextUpdate | ocsp.log | additional.fields.key/value |
ts | pe.log | metadata.event_timestamp |
id | pe.log | metadata.product_log_id |
machine | pe.log | target.resource.resource_subtype |
compile_ts | pe.log | additional.fields.key/value |
os | pe.log | target.platform_version
target.resource.resource_type is set to "DEVICE". |
subsystem | pe.log | target.application |
is_exe | pe.log | additional.fields.key/value |
is_64bit | pe.log | additional.fields.key/value |
uses_aslr | pe.log | additional.fields.key/value |
uses_dep | pe.log | additional.fields.key/value |
uses_code_integrity | pe.log | additional.fields.key/value |
uses_seh | pe.log | additional.fields.key/value |
has_import_table | pe.log | additional.fields.key/value |
has_export_table | pe.log | additional.fields.key/value |
has_cert_table | pe.log | additional.fields.key/value |
has_debug_data | pe.log | additional.fields.key/value |
section_names | pe.log | additional.fields.key/value |
ts | x509.log | metadata.event_timestamp
Also, target.application is set to "x509". |
fingerprint | x509.log | additional.fields.key/value |
certificate.version | x509.log | network.tls.server.certificate.version |
certificate.serial | x509.log | network.tls.server.certificate.serial |
certificate.subject | x509.log | network.tls.server.certificate.subject |
certificate.issuer | x509.log | network.tls.server.certificate.issuer |
certificate.cn | x509.log | target.hostname |
certificate.not_valid_before | x509.log | network.tls.server.certificate.not_before |
certificate.not_valid_after | x509.log | network.tls.server.certificate.not_after |
certificate.key_alg | x509.log | additional.fields.key/value |
certificate.sig_alg | x509.log | additional.fields.key/value |
certificate.key_type | x509.log | additional.fields.key/value |
certificate.key_length | x509.log | additional.fields.key/value |
certificate.exponent | x509.log | additional.fields.key/value |
certificate.curve | x509.log | network.tls.curve |
handle | x509.log | additional.fields.key/value |
extensions.name | x509.log | additional.fields.key/value |
extensions.short_name | x509.log | additional.fields.key/value |
extensions.oid | x509.log | additional.fields.key/value |
extensions.critical | x509.log | additional.fields.key/value |
extensions.value | x509.log | additional.fields.key/value |
san.dns | x509.log | additional.fields.key/value |
san.uri | x509.log | additional.fields.key/value |
san.email | x509.log | additional.fields.key/value |
san.ip | x509.log | additional.fields.key/value |
san.other_fields | x509.log | additional.fields.key/value |
basic_constraints.ca | x509.log | additional.fields.key/value |
basic_constraints.path_len | x509.log | additional.fields.key/value |
extensions_cache | x509.log | additional.fields.key/value |
host_cert | x509.log | additional.fields.key/value |
client_cert | x509.log | additional.fields.key/value |
deduplication_index.fingerprint | x509.log | additional.fields.key/value |
deduplication_index.host_cert | x509.log | additional.fields.key/value |
deduplication_index.client_cert | x509.log | additional.fields.key/value |
always_raise_x509_events | x509.log | additional.fields.key/value |
cert | x509.log | additional.fields.key/value |
Netcontrol
Le tableau suivant répertorie les champs de journal du type de journal netcontrol et leurs champs UDM correspondants.
Champ de journal d'origine | Type de journal | Champ UDM |
---|---|---|
ts | netcontrol.log | metadata.event_timestamp |
rule_id | netcontrol.log | security_result.rule_id |
category | netcontrol.log | security_result.category_details |
cmd | netcontrol.log | additional.fields.key/value |
state | netcontrol.log | additional.fields.key/value |
action | netcontrol.log | security_result.action_details |
target | netcontrol.log | additional.fields.key/value |
entity_type | netcontrol.log | additional.fields.key/value |
entity | netcontrol.log | security_result.summary |
mod | netcontrol.log | additional.fields.key/value |
msg | netcontrol.log | security_result.description |
priority | netcontrol.log | security_result.priority_details |
expire | netcontrol.log | additional.fields.key/value |
location | netcontrol.log | additional.fields.key/value |
plugin | netcontrol.log | additional.fields.key/value |
ts | netcontrol_drop.log | metadata.event_timestamp |
rule_id | netcontrol_drop.log | security_result.rule_id |
orig_h | netcontrol_drop.log | principal.ip |
orig_p | netcontrol_drop.log | principal.port |
resp_h | netcontrol_drop.log | target.ip |
resp_p | netcontrol_drop.log | target.port |
expire | netcontrol_drop.log | additional.fields.key/value |
location | netcontrol_drop.log | additional.fields.key/value |
ts | netcontrol_shunt.log | metadata.event_timestamp |
rule_id | netcontrol_shunt.log | security_result.rule_id |
f.src_h | netcontrol_shunt.log | principal.ip |
f.src_p | netcontrol_shunt.log | principal.port |
f.dst_h | netcontrol_shunt.log | target.ip |
f.dst_p | netcontrol_shunt.log | target.port |
expire | netcontrol_shunt.log | additional.fields.key/value |
location | netcontrol_shunt.log | additional.fields.key/value |
ts | netcontrol_catch_release.log | metadata.event_timestamp |
rule_id | netcontrol_catch_release.log | security_result.rule_id |
ip | netcontrol_catch_release.log | target.ip |
action | netcontrol_catch_release.log | security_result.action_details |
block_interval | netcontrol_catch_release.log | additional.fields.key/value |
watch_interval | netcontrol_catch_release.log | additional.fields.key/value |
blocked_until | netcontrol_catch_release.log | additional.fields.key/value |
watched_until | netcontrol_catch_release.log | additional.fields.key/value |
num_blocked | netcontrol_catch_release.log | additional.fields.key/value |
location | netcontrol_catch_release.log | additional.fields.key/value |
message | netcontrol_catch_release.log | security_result.description |
ts | openflow.log | metadata.event_timestamp |
dpid | openflow.log | additional.fields.key/value |
match.in_port | openflow.log | additional.fields.key/value |
match.dl_src | openflow.log | additional.fields.key/value |
match.dl_dst | openflow.log | additional.fields.key/value |
match.dl_vlan | openflow.log | additional.fields.key/value |
match.dl_vlan_pcp | openflow.log | additional.fields.key/value |
match.dl_type | openflow.log | additional.fields.key/value |
match.nw_tos | openflow.log | additional.fields.key/value |
match.nw_proto | openflow.log | additional.fields.key/value |
match.nw_src | openflow.log | additional.fields.key/value |
match.nw_dst | openflow.log | additional.fields.key/value |
match.tp_src | openflow.log | additional.fields.key/value |
match.tp_dst | openflow.log | additional.fields.key/value |
flow_mod.cookie | openflow.log | additional.fields.key/value |
flow_mod.table_id | openflow.log | additional.fields.key/value |
flow_mod.command | openflow.log | additional.fields.key/value |
flow_mod.idle_timeout | openflow.log | additional.fields.key/value |
flow_mod.hard_timeout | openflow.log | additional.fields.key/value |
flow_mod.priority | openflow.log | additional.fields.key/value |
flow_mod.out_port | openflow.log | additional.fields.key/value |
flow_mod.flags | openflow.log | additional.fields.key/value |
flow_mod.actions.out_ports | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_vid | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_pcp | openflow.log | additional.fields.key/value |
flow_mod.actions.vlan_strip | openflow.log | additional.fields.key/value |
flow_mod.actions.dl_src | openflow.log | additional.fields.key/value |
flow_mod.actions.dl_dst | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_tos | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_src | openflow.log | additional.fields.key/value |
flow_mod.actions.nw_dst | openflow.log | additional.fields.key/value |
flow_mod.actions.tp_src | openflow.log | additional.fields.key/value |
flow_mod.actions.tp_dst | openflow.log | additional.fields.key/value |
Détection
Le tableau suivant répertorie les champs de journal du type de journal de détection et leurs champs UDM correspondants.
Champ de journal d'origine | Type de journal | Champ UDM |
---|---|---|
ts | intel.log | metadata.event_timestamp |
uid | intel.log | network.session_id |
id.orig_h | intel.log | principal.ip |
id.orig_p | intel.log | principal.port |
id.resp_h | intel.log | target.ip |
id.resp_p | intel.log | target.port |
seen.indicator | intel.log | additional.fields.key/value |
seen.indicator_type | intel.log | additional.fields.key/value |
seen.host | intel.log | additional.fields.key/value |
seen.where | intel.log | additional.fields.key/value |
seen.node | intel.log | additional.fields.key/value |
seen.conn.id.orig_h | intel.log | additional.fields.key/value |
seen.conn.id.orig_p | intel.log | additional.fields.key/value |
seen.conn.id.resp_h | intel.log | additional.fields.key/value |
seen.conn.id.resp_p | intel.log | additional.fields.key/value |
seen.conn.orig.size | intel.log | network.sent_bytes |
seen.conn.orig.state | intel.log | additional.fields.key/value |
seen.conn.orig.num_pkts | intel.log | additional.fields.key/value |
seen.conn.orig.num_bytes_ip | intel.log | additional.fields.key/value |
seen.conn.orig.flow_label | intel.log | additional.fields.key/value |
seen.conn.orig.l2_addr | intel.log | additional.fields.key/value |
seen.conn.resp.size | intel.log | network.received_bytes |
seen.conn.resp.state | intel.log | additional.fields.key/value |
seen.conn.resp.num_pkts | intel.log | additional.fields.key/value |
seen.conn.resp.num_bytes_ip | intel.log | additional.fields.key/value |
seen.conn.resp.flow_label | intel.log | additional.fields.key/value |
seen.conn.resp.l2_addr | intel.log | additional.fields.key/value |
seen.conn.start_time | intel.log | additional.fields.key/value |
seen.conn.duration | intel.log | network.session_duration |
seen.conn.service | intel.log | additional.fields.key/value |
seen.conn.history | intel.log | metadata.description |
seen.conn.uid | intel.log | network.session_id |
seen.conn.tunnel.queued | intel.log | additional.fields.key/value |
seen.conn.tunnel.dispatched | intel.log | additional.fields.key/value |
seen.conn.vlan | intel.log | additional.fields.key/value |
seen.conn.inner_vlan | intel.log | additional.fields.key/value |
seen.conn.dpd_state | intel.log | additional.fields.key/value |
seen.conn.removal_hooks | intel.log | additional.fields.key/value |
seen.conn.extract_orig | intel.log | additional.fields.key/value |
seen.conn.extract_resp | intel.log | additional.fields.key/value |
seen.conn.thresholds.orig_byte | intel.log | additional.fields.key/value |
seen.conn.thresholds.resp_byte | intel.log | additional.fields.key/value |
seen.conn.thresholds.orig_packet | intel.log | additional.fields.key/value |
seen.conn.thresholds.resp_packet | intel.log | additional.fields.key/value |
seen.conn.thresholds.duration | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.uuid | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.named_pipe | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_state.ctx_to_uuid | intel.log | additional.fields.key/value |
seen.conn.dce_rpc_backing | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_query | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_queries | intel.log | additional.fields.key/value |
seen.conn.dns_state.pending_replies | intel.log | additional.fields.key/value |
seen.conn.ftp_data_reuse | intel.log | additional.fields.key/value |
seen.conn.http_state.pending | intel.log | additional.fields.key/value |
seen.conn.http_state.current_request | intel.log | additional.fields.key/value |
seen.conn.http_state.current_response | intel.log | additional.fields.key/value |
seen.conn.http_state.trans_depth | intel.log | additional.fields.key/value |
seen.conn.sip_state.pending | intel.log | additional.fields.key/value |
seen.conn.sip_state.current_request | intel.log | additional.fields.key/value |
seen.conn.sip_state.current_response | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_cmd | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_file | intel.log | additional.fields.key/value |
seen.conn.smb_state.current_tree | intel.log | additional.fields.key/value |
seen.conn.smb_state.pending_cmds | intel.log | additional.fields.key/value |
seen.conn.smb_state.fid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.tid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.uid_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.pipe_map | intel.log | additional.fields.key/value |
seen.conn.smb_state.recent_files | intel.log | additional.fields.key/value |
seen.conn.smtp_state.messages_transferred | intel.log | additional.fields.key/value |
seen.conn.smtp_state.mime_depth | intel.log | additional.fields.key/value |
seen.conn.known_services_done | intel.log | additional.fields.key/value |
seen.conn.mqtt_state.publish | intel.log | additional.fields.key/value |
seen.conn.mqtt_state.subscribe | intel.log | additional.fields.key/value |
seen.conn.speculative_service | intel.log | additional.fields.key/value |
seen.uid | intel.log | additional.fields.key/value |
seen.f.id | intel.log | additional.fields.key/value |
seen.f.parent_id | intel.log | additional.fields.key/value |
seen.f.source | intel.log | target.file.full_path |
seen.f.is_orig | intel.log | additional.fields.key/value |
seen.f.conns | intel.log | additional.fields.key/value |
seen.f.last_active | intel.log | additional.fields.key/value |
seen.f.seen_bytes | intel.log | additional.fields.key/value |
seen.f.total_bytes | intel.log | additional.fields.key/value |
seen.f.missing_bytes | intel.log | additional.fields.key/value |
seen.f.overflow_bytes | intel.log | additional.fields.key/value |
seen.f.timeout_interval | intel.log | additional.fields.key/value |
seen.f.bof_buffer_size | intel.log | additional.fields.key/value |
seen.f.bof_buffer | intel.log | additional.fields.key/value |
seen.f.u2_events | intel.log | additional.fields.key/value |
seen.fuid | intel.log | additional.fields.key/value |
matched | intel.log | additional.fields.key/value |
sources | intel.log | additional.fields.key/value |
fuid | intel.log | additional.fields.key/value |
file_mime_type | intel.log | target.file.mime_type |
file_desc | intel.log | additional.fields.key/value |
cif.tags | intel.log | additional.fields.key/value |
cif.confidence | intel.log | additional.fields.key/value |
cif.source | intel.log | additional.fields.key/value |
cif.description | intel.log | additional.fields.key/value |
cif.firstseen | intel.log | additional.fields.key/value |
cif.lastseen | intel.log | additional.fields.key/value |
ts | notice.log | metadata.event_timestamp |
uid | notice.log | network.session_id |
id.orig_h | notice.log | principal.ip |
id.orig_p | notice.log | principal.port |
id.resp_h | notice.log | target.ip |
id.resp_p | notice.log | target.port |
conn.id.orig_h | notice.log | additional.fields.key/value |
conn.id.orig_p | notice.log | additional.fields.key/value |
conn.id.resp_h | notice.log | additional.fields.key/value |
conn.id.resp_p | notice.log | additional.fields.key/value |
conn.orig.size | notice.log | network.sent_bytes |
conn.orig.state | notice.log | additional.fields.key/value |
conn.orig.num_pkts | notice.log | additional.fields.key/value |
conn.orig.num_bytes_ip | notice.log | additional.fields.key/value |
conn.orig.flow_label | notice.log | additional.fields.key/value |
conn.orig.l2_addr | notice.log | additional.fields.key/value |
conn.resp.size | notice.log | network.received_bytes |
conn.resp.state | notice.log | additional.fields.key/value |
conn.resp.num_pkts | notice.log | additional.fields.key/value |
conn.resp.num_bytes_ip | notice.log | additional.fields.key/value |
conn.resp.flow_label | notice.log | additional.fields.key/value |
conn.resp.l2_addr | notice.log | additional.fields.key/value |
conn.start_time | notice.log | additional.fields.key/value |
conn.duration | notice.log | network.session_duration |
conn.service | notice.log | additional.fields.key/value |
conn.history | notice.log | metadata.description |
conn.uid | notice.log | network.session_id |
conn.tunnel.queued | notice.log | additional.fields.key/value |
conn.tunnel.dispatched | notice.log | additional.fields.key/value |
conn.vlan | notice.log | additional.fields.key/value |
conn.inner_vlan | notice.log | additional.fields.key/value |
conn.dpd_state.violations | notice.log | additional.fields.key/value |
conn.removal_hooks | notice.log | additional.fields.key/value |
conn.extract_orig | notice.log | additional.fields.key/value |
conn.extract_resp | notice.log | additional.fields.key/value |
conn.thresholds.orig_byte | notice.log | additional.fields.key/value |
conn.thresholds.resp_byte | notice.log | additional.fields.key/value |
conn.thresholds.orig_packet | notice.log | additional.fields.key/value |
conn.thresholds.resp_packet | notice.log | additional.fields.key/value |
conn.thresholds.duration | notice.log | additional.fields.key/value |
conn.dce_rpc_state.uuid | notice.log | additional.fields.key/value |
conn.dce_rpc_state.named_pipe | notice.log | additional.fields.key/value |
conn.dce_rpc_state.ctx_to_uuid | notice.log | additional.fields.key/value |
conn.dce_rpc_backing | notice.log | additional.fields.key/value |
conn.dns_state.pending_query | notice.log | additional.fields.key/value |
conn.dns_state.pending_queries | notice.log | additional.fields.key/value |
conn.dns_state.pending_replies | notice.log | additional.fields.key/value |
conn.ftp_data_reuse | notice.log | additional.fields.key/value |
conn.http_state.pending | notice.log | additional.fields.key/value |
conn.http_state.current_request | notice.log | additional.fields.key/value |
conn.http_state.current_response | notice.log | additional.fields.key/value |
conn.http_state.trans_depth | notice.log | additional.fields.key/value |
conn.sip_state.pending | notice.log | additional.fields.key/value |
conn.sip_state.current_request | notice.log | additional.fields.key/value |
conn.sip_state.current_response | notice.log | additional.fields.key/value |
conn.smb_state.pending_cmds | notice.log | additional.fields.key/value |
conn.smb_state.fid_map | notice.log | additional.fields.key/value |
conn.smb_state.tid_map | notice.log | additional.fields.key/value |
conn.smb_state.uid_map | notice.log | additional.fields.key/value |
conn.smb_state.pipe_map | notice.log | additional.fields.key/value |
conn.smb_state.recent_files | notice.log | additional.fields.key/value |
conn.smtp_state.messages_transferred | notice.log | additional.fields.key/value |
conn.smtp_state.mime_depth | notice.log | additional.fields.key/value |
conn.known_services_done | notice.log | additional.fields.key/value |
mqtt.ts | notice.log | additional.fields.key/value |
mqtt.uid | notice.log | additional.fields.key/value |
mqtt.id | notice.log | additional.fields.key/value |
mqtt.proto_name | notice.log | additional.fields.key/value |
mqtt.proto_version | notice.log | additional.fields.key/value |
mqtt.client_id | notice.log | additional.fields.key/value |
mqtt.connect_status | notice.log | additional.fields.key/value |
mqtt.will_topic | notice.log | additional.fields.key/value |
mqtt.will_payload | notice.log | additional.fields.key/value |
conn.mqtt_state.publish | notice.log | additional.fields.key/value |
conn.mqtt_state.subscribe | notice.log | additional.fields.key/value |
conn.speculative_service | notice.log | additional.fields.key/value |
iconn.orig_h | notice.log | additional.fields.key/value |
iconn.resp_h | notice.log | additional.fields.key/value |
iconn.itype | notice.log | additional.fields.key/value |
iconn.icode | notice.log | additional.fields.key/value |
iconn.len | notice.log | additional.fields.key/value |
iconn.hlim | notice.log | additional.fields.key/value |
iconn.v6 | notice.log | additional.fields.key/value |
f.id | notice.log | additional.fields.key/value |
f.parent_id | notice.log | additional.fields.key/value |
f.source | notice.log | target.file.full_path |
f.is_orig | notice.log | additional.fields.key/value |
f.conns | notice.log | additional.fields.key/value |
f.last_active | notice.log | additional.fields.key/value |
f.seen_bytes | notice.log | additional.fields.key/value |
f.total_bytes | notice.log | additional.fields.key/value |
f.missing_bytes | notice.log | additional.fields.key/value |
f.overflow_bytes | notice.log | additional.fields.key/value |
f.timeout_interval | notice.log | additional.fields.key/value |
f.bof_buffer_size | notice.log | additional.fields.key/value |
f.bof_buffer | notice.log | additional.fields.key/value |
f.u2_events | notice.log | additional.fields.key/value |
fuid | notice.log | additional.fields.key/value |
file_mime_type | notice.log | target.file.mime_type |
file_desc | notice.log | additional.fields.key/value |
proto | notice.log | network.ip_protocol |
note | notice.log | security_result.description |
msg | notice.log | security_result.summary |
sub | notice.log | additional.fields.key/value |
src | notice.log | principal.ip |
dst | notice.log | target.ip |
p | notice.log | target.port |
n | notice.log | additional.fields.key/value |
peer_name | notice.log | additional.fields.key/value |
peer_descr | notice.log | additional.fields.key/value |
actions | notice.log | security_result.action_details |
email_dest | notice.log | network.email.to (repeated) |
email_body_sections | notice.log | network.email.subject (repeated) |
email_delay_tokens | notice.log | additional.fields.key/value |
identifier | notice.log | additional.fields.key/value |
suppress_for | notice.log | additional.fields.key/value |
remote_location.country_code | notice.log | additional.fields.key/value |
remote_location.region | notice.log | principal.asset.location.country_or_region |
remote_location.city | notice.log | principal.asset.location.city |
remote_location.latitude | notice.log | additional.fields.key/value |
remote_location.longitude | notice.log | additional.fields.key/value |
dropped | notice.log | security_result.action_details |
ts | signatures.log | metadata.event_timestamp |
uid | signatures.log | network.session_id |
src_addr | signatures.log | principal.ip |
src_port | signatures.log | principal.port |
dst_addr | signatures.log | target.ip |
dst_port | signatures.log | target.port |
note | signatures.log | security_result.summary |
sig_id | signatures.log | additional.fields.key/value |
event_msg | signatures.log | metadata.description |
sub_msg | signatures.log | additional.fields.key/value |
sig_count | signatures.log | additional.fields.key/value |
host_count | signatures.log | additional.fields.key/value |
ts | traceroute.log | metadata.event_timestamp |
src | traceroute.log | principal.ip |
dst | traceroute.log | target.ip |
proto | traceroute.log | network.ip_protocol |
Observations sur le réseau
Le tableau suivant répertorie les champs de journal du type de journal des observations réseau et les champs UDM correspondants.
Champ de journal d'origine | Type de journal | Champ UDM |
---|---|---|
ts | known_certs.log | metadata.event_timestamp |
host | known_certs.log | principal.ip |
port_num | known_certs.log | principal.port |
subject | known_certs.log | network.tls.client.certificate.subject |
issuer_subject | known_certs.log | network.tls.client.certificate.issuer |
serial | known_certs.log | network.tls.client.certificate.serial |
ts | known_hosts.log | metadata.event_timestamp |
host | known_hosts.log | principal.ip |
ts | known_modbus.log | metadata.event_timestamp |
host | known_modbus.log | principal.ip |
device_type | known_modbus.log | target.resource.name
target.resource.resource_type = "DEVICE" |
ts | known_services.log | metadata.event_timestamp |
host | known_services.log | principal.ip |
port_num | known_services.log | principal.port |
port_proto | known_services.log | network.ip_protocol |
service | known_services.log | target.application |
ts | software.log | metadata.event_timestamp |
host | software.log | principal.ip |
host_p | software.log | principal.port |
software_type | software.log | principal.resource.resource_subtype |
name | software.log | principal.resource.name |
version.major | software.log | additional.fields.key/value |
version.minor | software.log | additional.fields.key/value |
version.minor2 | software.log | additional.fields.key/value |
version.minor3 | software.log | additional.fields.key/value |
version.addl | software.log | additional.fields.key/value |
unparsed_version | software.log | additional.fields.key/value |
force_log | software.log | additional.fields.key/value |
url | software.log | metadata.url_back_to_product |
Référence de mappage de champ: ID d'événement vers type d'événement UDM
Pour comprendre comment l'analyseur mappe les noms de journaux aux types d'événements UDM, consultez les sections suivantes:
Protocoles de réseau
Le tableau suivant répertorie les noms de journaux du type de journal des protocoles réseau et les types d'événements UDM correspondants.
Nom du journal | Description | Type d'événement UDM |
---|---|---|
conn.log | TCP/UDP/ICMP connections | NETWORK_CONNECTION |
dce_rpc.log | Distributed Computing Environment/RPC | NETWORK_CONNECTION |
dhcp.log | DHCP leases | NETWORK_DHCP |
dnp3.log | DNP3 (Distributed Network Protocol 3) requests and replies | NETWORK_CONNECTION |
dns.log | DNS activity | NETWORK_DNS |
ftp.log | FTP (File Transfer Protocol) activity | NETWORK_FTP |
http.log | HTTP requests and replies | NETWORK_HTTP |
irc.log | IRC (Internet Relay Chat) commands and responses | NETWORK_CONNECTION |
kerberos.log | Kerberos | NETWORK_CONNECTION |
modbus.log | Modbus commands and responses | NETWORK_CONNECTION |
modbus_register_change.log | Tracks changes to Modbus holding registers | GENERIC_EVENT |
mysql.log | MySQL | NETWORK_UNCATEGORIZED |
ntlm.log | NT LAN Manager (NTLM) | NETWORK_CONNECTION |
ntp.log | Network Time Protocol | NETWORK_CONNECTION |
radius.log | RADIUS authentication attempts | USER_LOGIN |
rdp.log | Remote Desktop Protocol (RDP) | NETWORK_CONNECTION |
rfb.log | Remote Framebuffer (RFB) | NETWORK_CONNECTION |
sip.log | Session Initiation Protocol (SIP) | NETWORK_UNCATEGORIZED |
smb_cmd.log | SMB (Server Message Block) commands | NETWORK_CONNECTION |
smb_files.log | SMB (Server Message Block) files | NETWORK_UNCATEGORIZED |
smb_mapping.log | SMB (Server Message Block) trees | NETWORK_CONNECTION |
smtp.log | SMTP (Simple Mail Transfer Protocol) transactions | NETWORK_SMTP |
snmp.log | SNMP (Simple Network Management Protocol) messages | NETWORK_UNCATEGORIZED |
socks.log | SOCKS proxy requests | NETWORK_CONNECTION |
ssh.log | SSH (Secure Shell) connections | NETWORK_UNCATEGORIZED |
ssl.log | SSL(Secure Sockets Layer)/TLS(Transport Layer Security) handshake info | NETWORK_HTTP
NETWORK_CONNECTION |
syslog.log | Syslog messages | NETWORK_CONNECTION |
tunnel.log | Tunneling protocol events | NETWORK_CONNECTION |
Fichiers
Le tableau suivant répertorie les noms de journaux du type de journal des fichiers et les types d'événements UDM correspondants.
Nom du journal | Description | Type d'événement UDM |
---|---|---|
files.log | File analysis results | NETWORK_UNCATEGORIZED |
ocsp.log | If policy script is loaded, the Online Certificate Status Protocol (OCSP) log is created. | GENERIC_EVENT |
pe.log | Portable Executable (PE) | GENERIC_EVENT |
x509.log | X.509 certificate info | GENERIC_EVENT |
Netcontrol
Le tableau suivant répertorie les noms de journaux du type de journal netcontrol et les types d'événements UDM correspondants.
Nom du journal | Description | Type d'événement UDM |
---|---|---|
netcontrol.log | NetControl actions | GENERIC_EVENT |
netcontrol_drop.log | NetControl actions | STATUS_UPDATE |
netcontrol_shunt.log | NetControl shunt actions | STATUS_UPDATE |
netcontrol_catch_release.log | NetControl catch and release actions | GENERIC_EVENT |
openflow.log | OpenFlow debug log | GENERIC_EVENT |
Détection
Le tableau suivant répertorie les noms de journaux du type de journal de détection et les types d'événements UDM correspondants.
Nom du journal | Description | Type d'événement UDM |
---|---|---|
intel.log | Intelligence data matches | GENERIC_EVENT |
notice.log | Zeek notices | NETWORK_CONNECTION |
notice_alarm.log | The alarm stream | NETWORK_CONNECTION |
signatures.log | Signature matches | GENERIC_EVENT |
traceroute.log | Traceroute detection | NETWORK_UNCATEGORIZED |
Observations sur le réseau
Le tableau suivant répertorie les noms de journaux du type de journal des observations réseau et les types d'événements UDM correspondants.
Nom du journal | Description | Type d'événement UDM |
---|---|---|
known_certs.log | SSL certificates | GENERIC_EVENT |
known_hosts.log | Hosts that completed TCP handshakes | GENERIC_EVENT |
known_modbus.log | Modbus master and secondary | GENERIC_EVENT |
known_services.log | Services running on hosts | GENERIC_EVENT |
software.log | Software used on the network | GENERIC_EVENT |