From 8fef390f9e26f035f34106d98cb0589e0243fb0d Mon Sep 17 00:00:00 2001 From: Dishank Khatri Date: Tue, 26 May 2026 12:34:04 +0530 Subject: [PATCH 1/2] feat: Added Asset Classification Dashboard --- corelight.conf | 531 +++++- .../Data Explorer/Asset Classification.json | 1511 +++++++++++++++++ 2 files changed, 1981 insertions(+), 61 deletions(-) create mode 100644 dashboards/Data Explorer/Asset Classification.json diff --git a/corelight.conf b/corelight.conf index af1be68..81d3c8d 100644 --- a/corelight.conf +++ b/corelight.conf @@ -2,7 +2,7 @@ # Category: NDR # Supported Format: JSON # Reference: See below -# Last Updated: 2026-02-12 +# Last Updated: 2026-05-25 # Copyright 2023 Chronicle LLC filter { @@ -614,25 +614,48 @@ filter { } on_error => "uid_conversion_failed" } + + # Mapping uids with additional.fields mutate { replace => { - "token_uid.value" = "%{uid}" + "token_uid.value.string_value" = "%{uid}" } on_error => "uid_not_found" } if ![uid_not_found] and [uid] != "" { mutate { replace => { - "token_uid.key" => "uid" + "token_uid.key" => "uid_%{index}" } } mutate { merge => { - "token_metadata.ingestion_labels" => "token_uid" + "token_additional.fields" => "token_uid" } remove_field => ["token_uid"] } } + + # Mapping uids with metadata.ingestion_labels + mutate { + replace => { + "token_uid_2.value" = "%{uid}" + } + on_error => "uid_2_not_found" + } + if ![uid_2_not_found] and [uid] != "" { + mutate { + replace => { + "token_uid_2.key" => "uid" + } + } + mutate { + merge => { + "token_metadata.ingestion_labels" => "token_uid_2" + } + remove_field => ["token_uid_2"] + } + } } } @@ -652,6 +675,12 @@ filter { on_error => "version_not_found" } + mutate { + replace => { + "token_network.application_protocol" => "HTTP" + } + } + mutate { replace => { "token_network.http.method" => "%{method}" @@ -6866,6 +6895,12 @@ filter { # - https://docs.zeek.org/en/current/scripts/base/protocols/irc/main.zeek.html else if [_path] == "irc" { + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "IRCP" + } + } # UDM > Principal mutate { @@ -7448,13 +7483,19 @@ filter { on_error => "failed_to_merge_intermediary" } - # UDM > Network > IP Protocol + # UDM > Network mutate { replace => { "token_network.ip_protocol" => "TCP" } } + mutate { + replace => { + "token_network.application_protocol" => "RDP" + } + } + # UDM > Security Results mutate { replace => { @@ -7692,53 +7733,6 @@ filter { } } - if [_path] == "conn_agg" { - mutate { - replace => { - "service" => "%{service[0]}" - } - on_error => "service_not_set" - } - } - else { - mutate { - replace => { - "service" => "%{service}" - } - on_error => "service_not_set" - } - } - - if ![service_not_set] { - mutate { - uppercase => ["service"] - } - - if [service] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", - "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", - "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", - "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", - "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", - "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", - "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", - "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] { - mutate { - replace => { - "token_network.application_protocol" => "%{service}" - } - } - } - else { - mutate { - replace => { - "token_network.application_protocol" => - "UNKNOWN_APPLICATION_PROTOCOL" - } - } - } - } - # Mapping duration with seconds as well as nanoseconds as customer requires higher precision. # Raw field "duration": 123.456, will result in session_duration: {"seconds": 123, "nanos": 456000000} mutate { @@ -8879,6 +8873,60 @@ filter { } on_error => "failed_to_merge_about" } + if [_path] == "conn_agg" { + mutate { + replace => { + "service" => "%{service.0}" + } + on_error => "service_not_set" + } + } + else { + mutate { + replace => { + "service" => "%{service}" + } + on_error => "service_not_set" + } + } + + if ![service_not_set] { + mutate { + uppercase => ["service"] + } + + if [service] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", + "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", + "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", + "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", + "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", + "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", + "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", + "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP", "TELNET", + "SFTP", "IMAP", "POP3"] { + mutate { + replace => { + "token_network.application_protocol" => "%{service}" + } + } + } + else if [service] == "IRC" { + mutate { + replace => { + "token_network.application_protocol" => "IRCP" + } + } + } + else { + mutate { + replace => { + "token_network.application_protocol" => + "UNKNOWN_APPLICATION_PROTOCOL" + } + } + } + } # UDM > additional mutate { @@ -11325,7 +11373,6 @@ filter { } on_error => "failed_to_convert_icmp_code" } - mutate { replace => { "token_icmp_code.value" => "%{icmp_code}" @@ -12411,19 +12458,27 @@ filter { if [service] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", - "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] { + "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP", "TELNET", + "SFTP", "IMAP", "POP3"] { mutate { replace => { "token_network.application_protocol" => "%{service}" } } } + else if [service] == "IRC" { + mutate { + replace => { + "token_network.application_protocol" => "IRCP" + } + } + } else { mutate { replace => { @@ -14124,6 +14179,278 @@ filter { } } + # ---------------------------------------------------------------------- + # Asset Classification + else if [_path] == "asset_classification" { + + # UDM > About + mutate { + convert => { + "device_type" => "string" + } + on_error => "device_type_conversion_error" + } + mutate { + replace => { + "asset_classification_about.asset.category" => "%{device_type}" + } + on_error => "asset_category_not_assigned" + } + + mutate { + replace => { + "os_name_labels.value" => "%{os_name}" + } + on_error => "os_name_not_found" + } + if ![os_name_not_found] and [os_name] != "" { + mutate { + replace => { + "os_name_labels.key" => "os_name" + } + } + mutate { + merge => { + "asset_classification_about.asset.attribute.labels" => "os_name_labels" + } + } + } + + mutate { + replace => { + "os_name" => "%{os_name}" + } + on_error => "os_name_not_set" + } + if ![os_name_not_set] { + mutate { + uppercase => ["os_name"] + } + if [os_name] in ["ANDROID", "IOS", "LINUX", "MAC", "WINDOWS"] { + mutate { + replace => { + "asset_classification_about.platform" => "%{os_name}" + } + } + } + else if [os_name] == "CHROME OS" { + mutate { + replace => { + "asset_classification_about.platform" => "CHROME_OS" + } + } + } + else if [os_name] == "MACOS" { + mutate { + replace => { + "asset_classification_about.platform" => "MAC" + } + } + } + else { + mutate { + replace => { + "asset_classification_about.platform" => "UNKNOWN_PLATFORM" + } + } + } + } + + mutate { + convert => { + "type_group" => "string" + } + on_error => "type_group_conversion_error" + } + mutate { + replace => { + "asset_classification_about.group.group_display_name" => "%{type_group}" + } + on_error => "group_display_name_not_assigned" + } + + # We planned to map type_name to about.asset.attribute.labels but it is already being used for os_name. + # So, we concluded to map type_name to resource_subtype and assign resource_type as DEVICE. + mutate { + convert => { + "type_name" => "string" + } + on_error => "type_name_conversion_error" + } + mutate { + replace => { + "asset_classification_about.resource.resource_subtype" => "%{type_name}" + } + on_error => "resource_subtype_not_assigned" + } + if ![resource_subtype_not_assigned] { + mutate { + replace => { + "asset_classification_about.resource.resource_type" => "DEVICE" + } + } + } + + mutate { + convert => { + "brand" => "string" + } + on_error => "brand_conversion_error" + } + mutate { + replace => { + "asset_classification_about.user.company_name" => "%{brand}" + } + on_error => "company_name_not_assigned" + } + + for index, source in sources { + mutate { + replace => { + "temp_tag" => "%{source}" + } + on_error => "source_not_found" + } + mutate { + merge => { + "ip_geo_artifact_temp.tags" => "temp_tag" + } + on_error => "temp_tag_not_found" + } + } + mutate { + merge => { + "asset_classification_about.ip_geo_artifact" => "ip_geo_artifact_temp" + } + on_error => "ip_geo_artifact_not_found" + } + + mutate { + convert => { + "vendor_mac" => "string" + } + on_error => "vendor_mac_conversion_error" + } + mutate { + replace => { + "asset_hardware_temp.manufacturer" => "%{vendor_mac}" + } + on_error => "vendor_mac_not_found" + } + + mutate { + convert => { + "model" => "string" + } + on_error => "model_conversion_error" + } + mutate { + replace => { + "asset_hardware_temp.model" => "%{model}" + } + on_error => "model_not_found" + } + + mutate { + merge => { + "asset_classification_about.asset.hardware" => "asset_hardware_temp" + } + on_error => "asset_hardware_not_assigned" + } + + mutate { + convert => { + "confidence" => "string" + } + on_error => "confidence_conversion_error" + } + mutate { + replace => { + "asset_security_result.confidence_score" => "%{confidence}" + } + on_error => "confidence_score_not_assigned" + } + mutate { + convert => { + "asset_security_result.confidence_score" => "integer" + } + on_error => "confidence_score_conversion_error" + } + mutate { + merge => { + "asset_classification_about.security_result" => "asset_security_result" + } + on_error => "failed_to_merge_security_result_in_about" + } + + mutate { + convert => { + "os_ver" => "string" + } + on_error => "os_ver_conversion_error" + } + mutate { + replace => { + "asset_classification_about.platform_version" => "%{os_ver}" + } + on_error => "platform_version_not_assigned" + } + + mutate { + merge => { + "asset_classification_about.labels" => "uid_labels" + } + on_error => "uid_labels_not_found" + } + + mutate { + merge => { + "token_about" => "asset_classification_about" + } + on_error => "failed_to_merge_about" + } + + # UDM > Principal + grok { + match => { + "ip" => "%{IP:ip}" + } + overwrite => ["ip"] + on_error => "ip_not_valid" + } + if ![ip_not_valid] { + mutate { + merge => { + "token_principal.ip" => "ip" + } + on_error => "ip_not_assigned" + } + } + + grok { + match => { + "mac" => "%{MAC:mac}" + } + overwrite => ["mac"] + on_error => "mac_not_valid" + } + if ![mac_not_valid] { + mutate { + merge => { + "token_principal.mac" => "mac" + } + on_error => "mac_not_assigned" + } + } + + # UDM > Metadata + mutate { + replace => { + "token_metadata.event_type" => "STATUS_UPDATE" + } + } + } + # ---------------------------------------------------------------------- # BACNET else if [_path] == "bacnet" { @@ -16219,6 +16546,12 @@ filter { # ---------------------------------------------------------------------- # DNP3 else if [_path] == "dnp3" { + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "DNP3" + } + } # UDM > About mutate { @@ -17514,6 +17847,12 @@ filter { } # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "FTP" + } + } + mutate { replace => { "token_network.ftp.command" => "%{command} %{arg}" @@ -19115,6 +19454,12 @@ filter { # ---------------------------------------------------------------------- # TDS else if [_path] == "tds" { + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "TDS" + } + } # UDM > Principal mutate { @@ -19159,6 +19504,13 @@ filter { # ---------------------------------------------------------------------- # TDS_RPC else if [_path] == "tds_rpc" { + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "TDS" + } + } + # UDM > About mutate { replace => { @@ -20991,19 +21343,27 @@ filter { if [app_proto] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", "RLOGIN", "RPC", "RTMP", "RTP", "RTPS", "RTSP", "SAP", "SDP", "SIP", "SLP", "SMB", "SMTP", "SNMP", "SNTP", "SSH", "SSMS", "STYX", "SV", "TCAP", "TDS", - "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP"] { + "TOR", "TSP", "VTP", "WEB_DAV", "WHOIS", "X400", "X500", "XMPP", "TELNET", + "SFTP", "IMAP", "POP3"] { mutate { replace => { "token_network.application_protocol" => "%{app_proto}" } } } + else if [app_proto] == "IRC" { + mutate { + replace => { + "token_network.application_protocol" => "IRCP" + } + } + } else { mutate { replace => { @@ -21114,6 +21474,12 @@ filter { # ---------------------------------------------------------------------- # ISO COTP else if [_path] == "iso_cotp" { + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "COTP" + } + } # UDM > About mutate { @@ -24153,7 +24519,7 @@ filter { if [protocol] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", @@ -24577,7 +24943,7 @@ filter { if [protocol] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", @@ -26243,7 +26609,7 @@ filter { if [protocol] in ["AFP", "AMQP", "APPC", "ATOM", "BEEP", "BIT_TORRENT", "BITCOIN", "CFDP", "CIP", "COAP", "COTP", "DCERPC", "DDS", "DEVICE_NET", "DHCP", "DICOM", - "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "GOOSE", + "DNP3", "DNS", "E_DONKEY", "ENRP", "FAST_TRACK", "FINGER", "FREENET", "FTAM", "FTP", "GOOSE", "GOPHER", "GRPC", "H323", "HL7", "HTTP", "HTTPS", "IEC104", "IRCP", "KADEMLIA", "KRB5", "LDAP", "LPD", "MIME", "MMS", "MODBUS", "MQTT", "NETCONF", "NFS", "NIS", "NNTP", "NTCIP", "NTP", "OSCAR", "PNRP", "PTP", "QUIC", "RDP", "RELP", "RIP", @@ -27288,6 +27654,31 @@ filter { } } + mutate { + rename => { + "certificate.issuer" => "certificate_issuer" + } + on_error => "certificate_issuer_rename_failed" + } + mutate { + replace => { + "cert_issuer_label.value" => "%{certificate_issuer}" + } + on_error => "certificate_issuer_not_found" + } + if ![certificate_issuer_not_found] and [cert_issuer_label][value] != "" { + mutate { + replace => { + "cert_issuer_label.key" => "certificate_issuer" + } + } + mutate { + merge => { + "x509_about.labels" => "cert_issuer_label" + } + } + } + for i,var_email in san.email { mutate { replace => { @@ -30243,6 +30634,11 @@ filter { else if [_path] == "snmp" { # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "SNMP" + } + } # Mapping duration with seconds as well as nanoseconds as customer requires higher precision. # Raw field "duration": 123.456, will result in session_duration: {"seconds": 123, "nanos": 456000000} @@ -31818,8 +32214,14 @@ filter { else if [_path] == "tds_sql_batch" { - # UDM > Target + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "TDS" + } + } + # UDM > Target mutate { replace => { "token_target.resource.resource_type" => "DATABASE" @@ -41538,6 +41940,13 @@ filter { } } } + + # UDM > Network + mutate { + replace => { + "token_network.application_protocol" => "TELNET" + } + } } # ---------------------------------------------------------------------- diff --git a/dashboards/Data Explorer/Asset Classification.json b/dashboards/Data Explorer/Asset Classification.json new file mode 100644 index 0000000..5778217 --- /dev/null +++ b/dashboards/Data Explorer/Asset Classification.json @@ -0,0 +1,1511 @@ +{ + "dashboards": [ + { + "dashboard": { + "name": "e129abce-6363-4422-b835-b3eb182b2eb8", + "displayName": "Corelight → Data Explorer → Asset Classification", + "definition": { + "filters": [ + { + "id": "GlobalTimeFilter", + "dataSource": "GLOBAL", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "PAST", + "fieldValues": [ + "1", + "DAY" + ] + } + ], + "displayName": "Global Time Filter", + "chartIds": [ + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "acf0b48f-1481-4b7b-a9d6-88414f048a9b", + "ff52de3a-d311-47d4-9b63-a821acb886df", + "6d69f278-c012-45b1-baca-a9c77954a35d", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df" + ], + "isStandardTimeRangeFilter": true, + "isStandardTimeRangeFilterEnabled": true + }, + { + "id": "63f72959-42b7-4a44-9578-2cb3fff28399", + "dataSource": "UDM", + "fieldPath": "observer.hostname", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Corelight Sensor", + "chartIds": [ + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "ff52de3a-d311-47d4-9b63-a821acb886df", + "6d69f278-c012-45b1-baca-a9c77954a35d", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df" + ] + }, + { + "id": "65726920-9169-4824-bdb8-e06f418d5abf", + "dataSource": "UDM", + "fieldPath": "about.platform", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Operating System", + "chartIds": [ + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "ff52de3a-d311-47d4-9b63-a821acb886df", + "6d69f278-c012-45b1-baca-a9c77954a35d", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df" + ] + }, + { + "id": "75964862-c877-473d-841e-cac699137ded", + "dataSource": "UDM", + "fieldPath": "about.group.group_display_name", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Device Type Group", + "chartIds": [ + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "ff52de3a-d311-47d4-9b63-a821acb886df", + "6d69f278-c012-45b1-baca-a9c77954a35d", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df" + ] + }, + { + "id": "7dafa5ac-f088-47a4-9746-6def12da162d", + "dataSource": "UDM", + "fieldPath": "about.resource.resource_subtype", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "Device Type Name", + "chartIds": [ + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "ff52de3a-d311-47d4-9b63-a821acb886df", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df", + "6d69f278-c012-45b1-baca-a9c77954a35d" + ] + }, + { + "id": "b93e70b2-e5ff-487d-9210-a54bc6018f38", + "dataSource": "UDM", + "fieldPath": "about.ip", + "filterOperatorAndFieldValues": [ + { + "filterOperator": "EQUAL", + "fieldValues": [ + "" + ] + } + ], + "displayName": "IP Address", + "chartIds": [ + "3e31256c-8896-404a-8890-e7fb0b3920d5", + "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "9903f26e-036a-4c29-91ad-c871f0f7662f", + "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "6d69f278-c012-45b1-baca-a9c77954a35d", + "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "60769e37-5a30-46d1-8525-3a9c647933ae", + "c016171e-2346-40cf-b73e-88942423e6df", + "ff52de3a-d311-47d4-9b63-a821acb886df" + ] + } + ], + "charts": [ + { + "dashboardChart": "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "chartLayout": { + "startX": 0, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "3e31256c-8896-404a-8890-e7fb0b3920d5", + "chartLayout": { + "startX": 32, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "ff52de3a-d311-47d4-9b63-a821acb886df", + "chartLayout": { + "startX": 64, + "spanX": 32, + "startY": 0, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "9903f26e-036a-4c29-91ad-c871f0f7662f", + "chartLayout": { + "startX": 32, + "spanX": 32, + "startY": 25, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "c016171e-2346-40cf-b73e-88942423e6df", + "chartLayout": { + "startX": 0, + "spanX": 32, + "startY": 25, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "chartLayout": { + "startX": 64, + "spanX": 32, + "startY": 25, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "acf0b48f-1481-4b7b-a9d6-88414f048a9b", + "chartLayout": { + "startX": 0, + "spanX": 41, + "startY": 50, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter" + ] + }, + { + "dashboardChart": "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "chartLayout": { + "startX": 41, + "spanX": 55, + "startY": 50, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", + "chartLayout": { + "startX": 41, + "spanX": 55, + "startY": 75, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter" + ] + }, + { + "dashboardChart": "60769e37-5a30-46d1-8525-3a9c647933ae", + "chartLayout": { + "startX": 41, + "spanX": 55, + "startY": 100, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "6d69f278-c012-45b1-baca-a9c77954a35d", + "chartLayout": { + "startX": 0, + "spanX": 41, + "startY": 100, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "chartLayout": { + "startX": 0, + "spanX": 41, + "startY": 75, + "spanY": 25 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + }, + { + "dashboardChart": "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "chartLayout": { + "startX": 0, + "spanX": 96, + "startY": 125, + "spanY": 26 + }, + "filtersIds": [ + "GlobalTimeFilter", + "63f72959-42b7-4a44-9578-2cb3fff28399", + "65726920-9169-4824-bdb8-e06f418d5abf", + "75964862-c877-473d-841e-cac699137ded", + "7dafa5ac-f088-47a4-9746-6def12da162d", + "b93e70b2-e5ff-487d-9210-a54bc6018f38" + ] + } + ] + }, + "type": "CUSTOM", + "etag": "119ddd83fa0ef2809ef1ed90ded4de61df7b61adc06b68f40111dfa43d069100", + "access": "DASHBOARD_PRIVATE" + }, + "dashboardCharts": [ + { + "name": "acf0b48f-1481-4b7b-a9d6-88414f048a9b", + "displayName": "Top Applications by Operating System", + "chartDatasource": { + "dashboardQuery": "0f980d95-842b-4c12-be05-c51cf9c0fbc1", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "os_name", + "header": "OS Name" + }, + { + "field": "app", + "header": "Application" + }, + { + "field": "count", + "header": "Count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "28bca87b74a5a29440bbc1a38f7926dc44a0bd34be06251cbb940c76d094c398", + "drillDownConfig": {} + }, + { + "name": "ff52de3a-d311-47d4-9b63-a821acb886df", + "displayName": "Device Type Breakdown", + "description": "By Unique MAC Addresses", + "chartDatasource": { + "dashboardQuery": "cfb7ccd5-fae4-43c6-b43c-e5cb87a589d7", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "brand" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "40%", + "70%" + ], + "itemStyle": { + "color": "b=>{var {map:c}=eig(this.theme);b=Ljg(b,zig(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;var d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Computer", + "value": { + "color": "#1a73e8", + "label": "Computer" + } + }, + { + "key": "Virtual Machine", + "value": { + "color": "#eb730a", + "label": "Virtual Machine" + } + }, + { + "key": "EMPTY", + "value": { + "color": "#10a3b7", + "label": "EMPTY" + } + }, + { + "key": "Raspberry", + "value": { + "color": "#ec453b", + "label": "Raspberry" + } + }, + { + "key": "Mobile", + "value": { + "color": "#e51f8f", + "label": "Mobile" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "ae22dfe355f66a96c12e3a7764b7a7dd512c6772c678018702ee74dab7a34ecd", + "drillDownConfig": {} + }, + { + "name": "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "displayName": "Detected IoT (Audio, Video, Gaming)", + "chartDatasource": { + "dashboardQuery": "b4be77ad-bd54-4155-812a-9908cc74e2b6", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "device_type", + "header": "device_type" + }, + { + "field": "brand", + "header": "brand" + }, + { + "field": "model", + "header": "model" + }, + { + "field": "count", + "header": "count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "2ecb12a94926f0c3cb409972ded067f85e1a9db017728e016cdfc9544bcd970e", + "drillDownConfig": {} + }, + { + "name": "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "displayName": "Device Types over Time", + "description": "By Unique MAC Addresses", + "chartDatasource": { + "dashboardQuery": "5384b3ad-f370-4ad9-90d7-d64661639a6e", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "Raspberry", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "Raspberry" + }, + { + "seriesName": "Virtual Machine", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "Virtual Machine" + }, + { + "seriesName": "Computer", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "Computer" + }, + { + "seriesName": "Mobile", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#ec453b" + }, + "seriesUniqueValue": "Mobile" + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Active Assets" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "type_name" + ], + "groupingType": "Grouped" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "c7b50c1bd421e747b410ed1344b3c75a7cb336c080d2399fe876ffd6893649a1", + "drillDownConfig": {} + }, + { + "name": "60769e37-5a30-46d1-8525-3a9c647933ae", + "displayName": "Top Models over Time", + "description": "By Unique IP Addresses", + "chartDatasource": { + "dashboardQuery": "c729e5ea-2326-4611-8906-ac2ae557162e", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "count" + }, + "dataLabel": {} + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Active Assets" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "model" + ], + "groupingType": "Grouped" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "03b0bbb797f561ff304b9c5a182a4e4491fce765af3054641c8ee0cd591a5d31", + "drillDownConfig": {} + }, + { + "name": "c016171e-2346-40cf-b73e-88942423e6df", + "displayName": "Operating System Versions", + "description": "By Unique MAC Addresses", + "chartDatasource": { + "dashboardQuery": "666ea910-14c9-4fa4-9e28-3b225cb5bcc0", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "os" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "40%", + "70%" + ], + "itemStyle": { + "color": "b=>{var {map:c}=eig(this.theme);b=Ljg(b,zig(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;var d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Unknown", + "value": { + "color": "#1a73e8", + "label": "Unknown" + } + }, + { + "key": "Windows", + "value": { + "color": "#eb730a", + "label": "Windows" + } + }, + { + "key": "EMPTY", + "value": { + "color": "#10a3b7", + "label": "EMPTY" + } + }, + { + "key": "iOS", + "value": { + "color": "#ec453b", + "label": "iOS" + } + }, + { + "key": "Raspbian", + "value": { + "color": "#e51f8f", + "label": "Raspbian" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "7f4ea0a800a0a72d4bd15889ea5bd1e464ba6270c982296938b8854eaf3c2d95", + "drillDownConfig": {} + }, + { + "name": "3e31256c-8896-404a-8890-e7fb0b3920d5", + "displayName": "Brand Breakdown", + "description": "By Unique MAC Addresses", + "chartDatasource": { + "dashboardQuery": "8e65f3e0-2057-4c55-acf9-54a4408d3453", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "brand" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "40%", + "70%" + ], + "itemStyle": { + "color": "b=>{var {map:c}=eig(this.theme);b=Ljg(b,zig(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;var d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Unknown", + "value": { + "color": "#1a73e8", + "label": "Unknown" + } + }, + { + "key": "VMware", + "value": { + "color": "#eb730a", + "label": "VMware" + } + }, + { + "key": "Raspberry Pi", + "value": { + "color": "#10a3b7", + "label": "Raspberry Pi" + } + }, + { + "key": "EMPTY", + "value": { + "color": "#ec453b", + "label": "EMPTY" + } + }, + { + "key": "HP", + "value": { + "color": "#e51f8f", + "label": "HP" + } + }, + { + "key": "Apple", + "value": { + "color": "#923ef9", + "label": "Apple" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "274f0b36d9ff6646ffb60909471484ac1241796e232f7f1518659747a05fa1cb", + "drillDownConfig": {} + }, + { + "name": "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "displayName": "Device Inventory with Classifications", + "chartDatasource": { + "dashboardQuery": "db7fd679-3048-4803-86d3-6cd215981240", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "date_hour", + "header": "Time" + }, + { + "field": "principal.ip", + "header": "principal.ip" + }, + { + "field": "confidence", + "header": "Confidence" + }, + { + "field": "mac", + "header": "MAC" + }, + { + "field": "os_name", + "header": "OS Name" + }, + { + "field": "os_ver", + "header": "OS Version" + }, + { + "field": "type_name", + "header": "Type Name" + }, + { + "field": "type_group", + "header": "Type Group" + }, + { + "field": "brand", + "header": "Brand" + }, + { + "field": "model", + "header": "Model" + }, + { + "field": "sources", + "header": "Sources" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "bd1986ff805252fd26f0ea22d2d70928b65c775dd6dd07e82dcbcacd4081805d", + "drillDownConfig": {} + }, + { + "name": "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "displayName": "Discovery Source", + "description": "By Unique IP Addresses", + "chartDatasource": { + "dashboardQuery": "9c6004b5-ac70-4139-a712-d9352841acf5", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "source" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "40%", + "70%" + ], + "itemStyle": { + "color": "b=>{var {map:c}=eig(this.theme);b=Ljg(b,zig(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;var d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "http", + "value": { + "color": "#1a73e8", + "label": "http" + } + }, + { + "key": "dhcp", + "value": { + "color": "#eb730a", + "label": "dhcp" + } + }, + { + "key": "both", + "value": { + "color": "#10a3b7", + "label": "both" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "f76689caaa502ce73d9606dfd1d8f0e37312bfce8bda0a6f01587dab6cf64a4b", + "drillDownConfig": {} + }, + { + "name": "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "displayName": "Total Operating Systems", + "description": "By Unique MAC Addresses", + "chartDatasource": { + "dashboardQuery": "ae56e14a-84dd-4456-87e5-9e6d67d68d36", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "os_name", + "header": "os_name" + }, + { + "field": "count", + "header": "count" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "3965c1aa12f3b3ae6343ee8514de0d2b73987979226deee40c986a92036274d1", + "drillDownConfig": {} + }, + { + "name": "6d69f278-c012-45b1-baca-a9c77954a35d", + "displayName": "Classification Details per Host", + "chartDatasource": { + "dashboardQuery": "d9c0eac5-e0b3-43c6-a4d6-06eb76a7407f", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "legendOrient": "HORIZONTAL" + } + ], + "columnDefs": [ + { + "field": "principal.ip", + "header": "principal.ip" + }, + { + "field": "os_name", + "header": "OS Name" + }, + { + "field": "type_name", + "header": "Type Name" + }, + { + "field": "type_group", + "header": "Type Group" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "83ed3afdad380d46fa4147a0bce0cc3dea70a1d2e5ba72226c796651aef10220", + "drillDownConfig": {} + }, + { + "name": "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", + "displayName": "Data Transferred by Device Type", + "description": "By IP Address", + "chartDatasource": { + "dashboardQuery": "ced2eb15-d653-436b-a2ed-cd891f7b9167", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesName": "MOBILE", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#1a73e8" + }, + "seriesUniqueValue": "MOBILE" + }, + { + "seriesName": "LAPTOP", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#eb730a" + }, + "seriesUniqueValue": "LAPTOP" + }, + { + "seriesName": "RASPBERRY", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#10a3b7" + }, + "seriesUniqueValue": "RASPBERRY" + }, + { + "seriesName": "COMPUTER", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#ec453b" + }, + "seriesUniqueValue": "COMPUTER" + }, + { + "seriesName": "VIRTUAL_MACHINE", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#e51f8f" + }, + "seriesUniqueValue": "VIRTUAL_MACHINE" + }, + { + "seriesName": "TABLET", + "seriesType": "LINE", + "encode": { + "x": "date_hour", + "y": "total_bytes" + }, + "dataLabel": {}, + "itemStyle": { + "color": "#923ef9" + }, + "seriesUniqueValue": "TABLET" + } + ], + "xAxes": [ + { + "axisType": "CATEGORY", + "displayName": "Time" + } + ], + "yAxes": [ + { + "axisType": "VALUE", + "displayName": "Total Bytes" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "seriesColumn": [ + "device_type" + ], + "groupingType": "Grouped" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "f9a7d23dfb0181d15085d97be9edf3495a05fcf68ce0b5ab5983d76eafcb445f", + "drillDownConfig": {} + }, + { + "name": "9903f26e-036a-4c29-91ad-c871f0f7662f", + "displayName": "Device Groupings", + "description": "By Unique IP Addresses", + "chartDatasource": { + "dashboardQuery": "110cd1bd-1317-4c1b-8d50-6718c0d57e93", + "dataSources": [ + "UDM" + ] + }, + "visualization": { + "series": [ + { + "seriesType": "PIE", + "encode": { + "value": "count", + "itemName": "brand" + }, + "dataLabel": { + "show": true + }, + "radius": [ + "40%", + "70%" + ], + "itemStyle": { + "color": "b=>{var {map:c}=eig(this.theme);b=Ljg(b,zig(this.form.controls.seriesConfig.getRawValue()),a);a=b.nextColorIndex;var d;return(d=\nc.get(b.color))!=null?d:b.color}" + }, + "itemColors": { + "colors": [ + { + "key": "Home & Office", + "value": { + "color": "#1a73e8", + "label": "Home & Office" + } + }, + { + "key": "Mobile", + "value": { + "color": "#eb730a", + "label": "Mobile" + } + }, + { + "key": "Server", + "value": { + "color": "#10a3b7", + "label": "Server" + } + }, + { + "key": "EMPTY", + "value": { + "color": "#ec453b", + "label": "EMPTY" + } + }, + { + "key": "Engineering", + "value": { + "color": "#e51f8f", + "label": "Engineering" + } + } + ] + } + } + ], + "xAxes": [ + { + "axisType": "VALUE" + } + ], + "yAxes": [ + { + "axisType": "VALUE" + } + ], + "legends": [ + { + "top": 12, + "legendOrient": "HORIZONTAL" + } + ], + "groupingType": "Off" + }, + "tileType": "TILE_TYPE_VISUALIZATION", + "etag": "a968d27db5584a5aa4245b6786614556e16edd9dd8f18e5e91794d026cb17432", + "drillDownConfig": {} + } + ], + "dashboardQueries": [ + { + "name": "8e65f3e0-2057-4c55-acf9-54a4408d3453", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "9763dab3e2f9659b03af78493bf8c9ac61a0312c4dbe8ab21258ffbc4e9b0dc9" + }, + { + "name": "ced2eb15-d653-436b-a2ed-cd891f7b9167", + "query": "$e1.metadata.vendor_name=\"Corelight\"\r\n$e1.metadata.product_event_type = \"asset_classification\"\r\n$e2.metadata.vendor_name=\"Corelight\"\r\n$e2.metadata.product_event_type = \"conn\"\r\n\r\n$e1.principal.ip = $e2.principal.ip\r\n$device_type=if($e1.about.asset.category!=\"\", $e1.about.asset.category, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp($e1.metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n\r\nmatch:\r\n $date_hour, $device_type\r\noutcome:\r\n $bytes_in = sum(cast.as_float($e2.target.labels[\"resp_ip_bytes\"]))\r\n $bytes_out = sum(cast.as_float($e2.principal.labels[\"orig_ip_bytes\"]))\r\n $total_bytes = math.round(($bytes_in + $bytes_out)/1073741824, 2)\r\norder:\r\n $date_hour, $total_bytes asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "9a89a1af7204b2e507dba4f51d54c5590a30e25459a1bbaf7afba72be3641f2c" + }, + { + "name": "110cd1bd-1317-4c1b-8d50-6718c0d57e93", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\")\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "758d272a73c21aeacc505bb0981f88eb967373a7f53d235546c9a29266b23da0" + }, + { + "name": "ae56e14a-84dd-4456-87e5-9e6d67d68d36", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$os_name=if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $os_name\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "6a0bef006ad3f5d215c3e815d19a7faab267b1e5dbcc55e9103baf0b3ff289c0" + }, + { + "name": "c729e5ea-2326-4611-8906-ac2ae557162e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$model=if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $model\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $date_hour, $count asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "bc71197233baed21632bda7f02c1795b5d794b5d763343a5be7d3e212535611a" + }, + { + "name": "666ea910-14c9-4fa4-9e28-3b225cb5bcc0", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$os= if(about.asset.attribute.labels.value!=\"\" AND about.platform_version!=\"\", strings.concat(about.asset.attribute.labels.value, \" \", about.platform_version), if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\"))\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $os\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "50de59acb2dd24784a059609e26152d7ab1baec31b0f2a6201678dea008731b9" + }, + { + "name": "db7fd679-3048-4803-86d3-6cd215981240", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$confidence = if(about.security_result.confidence_score>=40, \"High\", if(about.security_result.confidence_score>=20, \"Medium\", if(about.security_result.confidence_score>=1, \"Low\", \"Unknown\")))\r\nmatch:\r\n $date_hour, principal.ip, $confidence\r\noutcome:\r\n $mac=array_distinct(if(principal.mac!=\"\", principal.mac, \"Unknown\"))\r\n $os_name=array_distinct(if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\"))\r\n $os_ver=array_distinct(if(about.platform_version!=\"\", about.platform_version, \"Unknown\"))\r\n $type_name=array_distinct(if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\"))\r\n $type_group=array_distinct(if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\"))\r\n $brand=array_distinct(if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\"))\r\n $model=array_distinct(if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\"))\r\n $sources=array_distinct(if(about.ip_geo_artifact.tags!=\"\", about.ip_geo_artifact.tags, \"Unknown\"))\r\nlimit:\r\n 100", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "8033ab217fe25249c8f2c57184d4e45d5728cdddd026495abe5a330b6490200c" + }, + { + "name": "9c6004b5-ac70-4139-a712-d9352841acf5", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\nabout.ip_geo_artifact.tags!=\"\"\r\n$source=if(about.ip_geo_artifact.tags=\"http\" AND about.ip_geo_artifact.tags=\"dhcp\", \"both\", about.ip_geo_artifact.tags)\r\nmatch:\r\n $source\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "aad0cedea642f965c56c29500f36807bb2d50702d81f4fd672160ce8f1b1b3d5" + }, + { + "name": "0f980d95-842b-4c12-be05-c51cf9c0fbc1", + "query": "$e1.metadata.vendor_name=\"Corelight\"\r\n$e1.metadata.product_event_type = \"asset_classification\"\r\n$e2.metadata.vendor_name=\"Corelight\"\r\n$e2.metadata.product_event_type = \"conn\"\r\n\r\n$e1.principal.ip = $e2.principal.ip\r\n$os_name=if($e1.about.asset.attribute.labels.value!=\"\", $e1.about.asset.attribute.labels.value, \"Unknown\")\r\n$app=if($e2.about.application!=\"\", $e2.about.application, \"Unknown\")\r\n\r\nmatch:\r\n $os_name, $app\r\noutcome:\r\n $count=count_distinct($e2.metadata.ingestion_labels.value)\r\norder:\r\n $count desc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "733150cfa1a6d5aa32124fe073962bc55083b25ef97c13eb54b13a48fd0311f2" + }, + { + "name": "cfb7ccd5-fae4-43c6-b43c-e5cb87a589d7", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "3c766f49eb6d600dc11213c16e6ffc7639bcf456d5de4368a74a4556103b5ba7" + }, + { + "name": "d9c0eac5-e0b3-43c6-a4d6-06eb76a7407f", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$os = if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\")\r\n$name = if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\n$group = if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\")\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $os_name = array_distinct($os)\r\n $type_name = array_distinct($name)\r\n $type_group = array_distinct($group)\r\nlimit:\r\n 100", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "c099b2ba0b5c833f491de0995c1d7d2efb82fb9ce70530a17e03ca5c8637ab1b" + }, + { + "name": "b4be77ad-bd54-4155-812a-9908cc74e2b6", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\nabout.group.group_display_name = \"Audio & Video\" OR about.group.group_display_name = \"Smart Home\" OR about.asset.category = \"GAME_CONSOLE\"\r\n$device_type=if(about.asset.category!=\"\", about.asset.category, \"Unknown\")\r\n$brand=if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\")\r\n$model=if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\")\r\n\r\nmatch:\r\n $device_type, $brand, $model\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc\r\nlimit:\r\n 100", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "4d9da6a56eab1a58bd3b610e03170ef73098cc42cfcefb480627dca52f55c465" + }, + { + "name": "5384b3ad-f370-4ad9-90d7-d64661639a6e", + "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$type_name=if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $date_hour, $type_name\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $date_hour, $count asc", + "input": { + "relativeTime": { + "timeUnit": "DAY", + "startTimeVal": "1" + } + }, + "etag": "d089606ea416aaa8cdcc70f8d1a3807d24aa150cabeb098d90f274a29850e549" + } + ] + } + ] +} \ No newline at end of file From 906d5fce89779af1253e1a0fe633aac059f5a16f Mon Sep 17 00:00:00 2001 From: Dishank Khatri Date: Tue, 2 Jun 2026 12:00:08 +0530 Subject: [PATCH 2/2] Updated and Synced md files --- README.md | 651 +- corelight_md.md | 22826 ++++++++-------- .../Data Explorer/Asset Classification.json | 298 +- 3 files changed, 12699 insertions(+), 11076 deletions(-) diff --git a/README.md b/README.md index f87d33a..1362a9c 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,7 @@ For more information, see [Data ingestion to Chronicle](https://cloud.google.com The following deployment architecture diagram illustrates how a Corelight Sensor is set up to send logs to Google Security Operations using two different ingestion architectures. It's important to note that each customer deployment may vary from this representation and could be more complex. -An ingestion label identifies the parser which normalizes raw log data -to structured UDM format. The information in this document applies to the parser -with the `CORELIGHT` ingestion label. +An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the `CORELIGHT` ingestion label. ## Ingesting Logs into Google SecOps using Corelight Exporters @@ -28,8 +26,7 @@ The architecture diagram shows the following components: * **Corelight Sensor exporters**: The [Corelight Sensor exporter](https://docs.corelight.com/docs/sensor/sensor/export/goosecops_exp.html) collects log data from the Sensor, and forwards it to Google Security Operations. -* **Google Security Operations**: Google Security Operations retains and analyzes the logs from - Corelight Sensor. +* **Google Security Operations**: Google Security Operations retains and analyzes the logs from Corelight Sensor. ### Configure the Google SecOps exporter in Corelight Use the Sensor or Fleet Manager web interface to configure the Google SecOps exporter. This configuration uses the API credentials from your Google SecOps instance to establish the secure connection. @@ -80,12 +77,9 @@ The architecture diagram shows the following components: * **Corelight Sensor exporter**: The [Corelight Sensor exporter](https://docs.corelight.com/docs/sensor/sensor/export/syslog.html) collects log data from the Sensor, and forwards it to the Google Security Operations forwarder. -* **Google Security Operations forwarder**: The Google Security Operations forwarder is a lightweight - software component, deployed in the customer's network, that supports syslog. - The Google Security Operations forwarder forwards the logs to Google Security Operations. +* **Google Security Operations forwarder**: The Google Security Operations forwarder is a lightweight software component, deployed in the customer's network, that supports syslog. The Google Security Operations forwarder forwards the logs to Google Security Operations. -* **Google Security Operations**: Google Security Operations retains and analyzes the logs from - Corelight Sensor. +* **Google Security Operations**: Google Security Operations retains and analyzes the logs from Corelight Sensor. ### Configure the Google Security Operations forwarder @@ -129,9 +123,11 @@ The Corelight parser supports the following log types:

Log Type

    +
  • asset_classification
  • conn
  • conn_long
  • conn_red
    • +
  • conn_agg
  • dce_rpc
  • dns
  • dns_red
    • @@ -156,6 +152,12 @@ The Corelight parser supports the following log types:
  • bacnet
  • cip
  • corelight_burst
    • +
  • corelight_metrics_bro
    • +
  • corelight_metrics_disk
    • +
  • corelight_metrics_iface
    • +
  • corelight_metrics_memory
    • +
  • corelight_metrics_system
    • +
  • corelight_metrics_zeek_doctor
  • corelight_overall_capture_loss
  • corelight_profiling
  • datared
    • @@ -228,7 +230,6 @@ The Corelight parser supports the following log types:
  • wireguard
  • x509
  • x509_red
    • -
  • conn_agg
  • dns_agg
  • files_agg
  • http_agg
    • @@ -243,7 +244,7 @@ The Corelight parser supports the following log types:
-## Field mapping reference +## Field mapping reference This section explains how the Google Security Operations parser maps Google Security Operations fields to Google Security Operations Unified Data Model (UDM) fields. @@ -382,6 +383,101 @@ The following table lists common fields of the CORELIGHT log and th +

Field mapping reference: CORELIGHT - asset_classification

+ +The following table lists the log fields of the asset_classification log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip (string - addr)principal.ip
macprincipal.mac
vendor_mac (string)about.asset.hardware.manufacturer
device_type (string)about.asset.category
os_name (string)about.platform
os_name (string)about.asset.attribute.labels
type_group (string)about.group.group_display_name
type_name (string)about.resource.resource_subtypeThe about.resource.resource_type UDM field is set to DEVICE
brand (string)about.user.company_name
model (string)about.asset.hardware.model
confidence (integer)about.security_result.confidence_score
os_ver (string)about.platform_version
sources (array[string])about.ip_geo_artifact.tags
+ +

Field mapping reference: CORELIGHT - conn, conn_red, conn_long, conn_agg

The following table lists the log fields of the conn, conn_red, conn_long, conn_agg log type and their corresponding UDM fields. @@ -10092,6 +10188,537 @@ The following table lists the log fields of the logschema log type + +

Field mapping reference: CORELIGHT - corelight_metrics_bro

+ +The following table lists the log fields of the corelight_metrics_bro log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
logs.conn.entries.per-second (integer)about.labels [logs_conn_entries_per_second]
logs.dce_rpc.entries.per-second (integer)about.labels [logs_dce_rpc_entries_per_second]
logs.dhcp.entries.per-second (integer)about.labels [logs_dhcp_entries_per_second]
logs.dnp3.entries.per-second (integer)about.labels [logs_dnp3_entries_per_second]
logs.dns.entries.per-second (integer)about.labels [logs_dns_entries_per_second]
logs.dpd.entries.per-second (integer)about.labels [logs_dpd_entries_per_second]
logs.files.entries.per-second (integer)about.labels [logs_files_entries_per_second]
logs.ftp.entries.per-second (integer)about.labels [logs_ftp_entries_per_second]
logs.http.entries.per-second (integer)about.labels [logs_http_entries_per_second]
logs.irc.entries.per-second (integer)about.labels [logs_irc_entries_per_second]
logs.kerberos.entries.per-second (integer)about.labels [logs_kerberos_entries_per_second]
logs.modbus.entries.per-second (integer)about.labels [logs_modbus_entries_per_second]
logs.mysql.entries.per-second (integer)about.labels [logs_mysql_entries_per_second]
logs.ntlm.entries.per-second (integer)about.labels [logs_ntlm_entries_per_second]
logs.pe.entries.per-second (integer)about.labels [logs_pe_entries_per_second]
logs.radius.entries.per-second (integer)about.labels [logs_radius_entries_per_second]
logs.rdp.entries.per-second (integer)about.labels [logs_rdp_entries_per_second]
logs.rfb.entries.per-second (integer)about.labels [logs_rfb_entries_per_second]
logs.sip.entries.per-second (integer)about.labels [logs_sip_entries_per_second]
logs.smb_files.entries.per-second (integer)about.labels [logs_smb_files_entries_per_second]
logs.smb_mapping.entries.per-second (integer)about.labels [logs_smb_mapping_entries_per_second]
logs.smtp.entries.per-second (integer)about.labels [logs_smtp_entries_per_second]
logs.snmp.entries.per-second (integer)about.labels [logs_snmp_entries_per_second]
logs.socks.entries.per-second (integer)about.labels [logs_socks_entries_per_second]
logs.software.entries.per-second (integer)about.labels [logs_software_entries_per_second]
logs.ssh.entries.per-second (integer)about.labels [logs_ssh_entries_per_second]
logs.ssl.entries.per-second (integer)about.labels [logs_ssl_entries_per_second]
logs.syslog.entries.per-second (integer)about.labels [logs_syslog_entries_per_second]
logs.traceroute.entries.per-second (integer)about.labels [logs_traceroute_entries_per_second]
logs.tunnel.entries.per-second (integer)about.labels [logs_tunnel_entries_per_second]
logs.weird.entries.per-second (integer)about.labels [logs_weird_entries_per_second]
logs.x509.entries.per-second (integer)about.labels [logs_x509_entries_per_second]
files.per-minute (integer)about.labels [files_per_minute]
files.queued.s3 (integer)about.labels [files_queued_s3]
files.queued.sftp (integer)about.labels [files_queued_sftp]
files.total (integer)about.labels [files_total]
logs.splunk_export.lag (integer)about.labels [logs_splunk_export_lag]
logs.syslog_export.lag (integer)about.labels [logs_syslog_export_lag]
logs.json_export.lag (integer)about.labels [logs_json_export_lag]
logs.kafka_export.lag (integer)about.labels [logs_kafka_export_lag]
logs.investigator_export.lag (integer)about.labels [logs_investigator_export_lag]
logs.kinesis_export.lag (integer)about.labels [logs_kinesis_export_lag]
logs.hec_export.lag (integer)about.labels [logs_hec_export_lag]
logs.elasticsearch_export.lag (integer)about.labels [logs_elasticsearch_export_lag]
cpu (integer)about.labels [cpu]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_iface

+ +The following table lists the log fields of the corelight_metrics_iface log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
monitor.total.kpps (integer)about.labels [monitor_total_kpps]
monitor.total.drops.kpps (integer)about.labels [monitor_total_drops_kpps]
monitor.total.mbps (integer)about.labels [monitor_total_mbps]
mgmt.in.bytes.mbps (integer)about.labels [mgmt_in_bytes_mbps]
mgmt.out.bytes.mbps (integer)about.labels [mgmt_out_bytes_mbps]
mgmt.in.packets.kpps (integer)about.labels [mgmt_in_packets_kpps]
mgmt.out.packets.kpps (integer)about.labels [mgmt_out_packets_kpps]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_system

+ +The following table lists the log fields of the corelight_metrics_system log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
cpu.1.temprature (integer)about.labels [cpu_1_temprature]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_memory

+ +The following table lists the log fields of the corelight_metrics_memory log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage (integer)about.labels [usage]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_disk

+ +The following table lists the log fields of the corelight_metrics_disk log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage.data (integer)about.labels [usage_data]
usage.os (integer)about.labels [usage_os]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_zeek_doctor

+ +The following table lists the log fields of the corelight_metrics_zeek_doctor log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
check.bursty.percent (integer)about.labels [check_bursty_percent]
check.dns_half_duplex_orig.percent (integer)about.labels [check_dns_half_duplex_orig_percent]
check.dns_half_duplex_resp.percent (integer)about.labels [check_dns_half_duplex_resp_percent]
check.local_to_local.percent (integer)about.labels [check_local_to_local_percent]
check.remote_to_remote.percent (integer)about.labels [check_remote_to_remote_percent]
check.tcp_backscatter.percent (integer)about.labels [check_tcp_backscatter_percent]
check.tcp_byte_counts_wrong.percent (integer)about.labels [check_tcp_byte_counts_wrong_percent]
check.tcp_half_duplex.percent (integer)about.labels [check_tcp_half_duplex_percent]
check.tcp_missed_bytes.percent (integer)about.labels [check_tcp_missed_bytes_percent]
check.tcp_no_ssl_on_443.percent (integer)about.labels [check_tcp_no_ssl_on_443_percent]
check.tcp_no_three_way_handshake.percent (integer)about.labels [check_tcp_no_three_way_handshake_percent]
check.tcp_retransmissions.percent (integer)about.labels [check_tcp_retransmissions_percent]
check.tcp_scan.percent (integer)about.labels [check_tcp_scan_percent]
+ +

Field mapping reference: CORELIGHT - analyzer

The following table lists the log fields of the analyzer log type and their corresponding UDM fields. diff --git a/corelight_md.md b/corelight_md.md index c97d3fd..68b913c 100644 --- a/corelight_md.md +++ b/corelight_md.md @@ -1,10915 +1,11911 @@ -# Collect Corelight Sensor logs - -This document describes how you can collect Corelight Sensor logs by configuring the Corelight Sensor and a Chronicle forwarder. This document also lists the supported log types and supported Corelight versions. - -For more information, see [Data ingestion to Chronicle](https://cloud.google.com/chronicle/docs/data-ingestion-flow). - -The following deployment architecture diagram shows how a Corelight Sensor is configured to send logs to Chronicle . Each customer deployment might differ from this representation and might be more complex. - -![Deployment architecture](images/corelight_parser_arch.png) - -The architecture diagram shows the following components: - -* **Corelight Sensor**: The system running the [Corelight Sensor](https://docs.corelight.com/docs/sensor/sensor/export/syslog.html). - -* **The Corelight Sensor exporter**: The [Corelight Sensor exporter](https://docs.corelight.com/docs/sensor/sensor/export/syslog.html) collects log data from the Sensor, and forwards it to the Chronicle forwarder. - -* **Chronicle forwarder**: The Chronicle forwarder is a lightweight software component, deployed in the customer's network, that supports syslog. The Chronicle forwarder forwards the logs to Chronicle . - -* **Chronicle**: Chronicle retains and analyzes the logs from Corelight Sensor. - -An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the `CORELIGHT` ingestion label. - -## Before you begin - -* Verify the version of your Corelight Sensor. The Corelight Chronicle parser was designed for version 27.4 and earlier. Later versions of the Corelight Sensor might have additional logs that the parser will not recognize, and those logs might receive limited or no field parsing. However, the log content will still be available in the raw log format in Chronicle. - -* Ensure that all systems in the deployment architecture are configured with the UTC time zone. - -## Supported Corelight log types - -The Corelight parser supports the following log types: -
-

Log Type

-
    -
  • conn
    • -
  • conn_long
    • -
  • conn_red
    • -
  • conn_agg
    • -
  • dce_rpc
    • -
  • dns
    • -
  • dns_red
    • -
  • files
    • -
  • files_red
    • -
  • http
    • -
  • http2
    • -
  • http_red
    • -
  • intel
    • -
  • irc
    • -
  • notice
    • -
  • rdp
    • -
  • sip
    • -
  • smb_files
    • -
  • smb_mapping
    • -
  • smtp
    • -
  • smtp_links
    • -
  • ssh
    • -
  • ssl
    • -
  • ssl_red
    • -
  • suricata_corelight
    • -
  • bacnet
    • -
  • cip
    • -
  • corelight_burst
    • -
  • corelight_metrics_bro
    • -
  • corelight_metrics_disk
    • -
  • corelight_metrics_iface
    • -
  • corelight_metrics_memory
    • -
  • corelight_metrics_system
    • -
  • corelight_metrics_zeek_doctor
    • -
  • corelight_overall_capture_loss
    • -
  • corelight_profiling
    • -
  • datared
    • -
  • dga
    • -
  • dhcp
    • -
  • dnp3
    • -
  • dpd
    • -
  • encrypted_dns
    • -
  • enip
    • -
  • enip_debug
    • -
  • enip_list_identity
    • -
  • etc_viz
    • -
  • ftp
    • -
  • generic_dns_tunnels
    • -
  • generic_icmp_tunnels
    • -
  • icmp_specific_tunnels
    • -
  • ipsec
    • -
  • iso_cotp
    • -
  • kerberos
    • -
  • known_certs
    • -
  • known_devices
    • -
  • known_domains
    • -
  • known_hosts
    • -
  • known_names
    • -
  • known_remotes
    • -
  • known_services
    • -
  • known_users
    • -
  • ldap
    • -
  • ldap_search
    • -
  • local_subnets
    • -
  • local_subnets_dj
    • -
  • local_subnets_graphs
    • -
  • log4shell
    • -
  • modbus
    • -
  • mqtt_connect
    • -
  • mqtt_publish
    • -
  • mqtt_subscribe
    • -
  • mysql
    • -
  • napatech_shunting
    • -
  • ntlm
    • -
  • ntp
    • -
  • pe
    • -
  • profinet
    • -
  • profinet_dce_rpc
    • -
  • profinet_debug
    • -
  • radius
    • -
  • reporter
    • -
  • rfb
    • -
  • s7comm
    • -
  • smartpcap
    • -
  • snmp
    • -
  • socks
    • -
  • software
    • -
  • specific_dns_tunnels
    • -
  • stepping
    • -
  • stun
    • -
  • stun_nat
    • -
  • suricata_eve
    • -
  • suricata_stats
    • -
  • syslog
    • -
  • tds
    • -
  • tds_rpc
    • -
  • tds_sql_batch
    • -
  • traceroute
    • -
  • tunnel
    • -
  • unknown-smartpcap
    • -
  • vpn
    • -
  • weird
    • -
  • weird_red
    • -
  • wireguard
    • -
  • x509
    • -
  • x509_red
    • -
  • dns_agg
    • -
  • files_agg
    • -
  • http_agg
    • -
  • ssl_agg
    • -
  • weird_agg
    • -
  • analyzer
    • -
  • anomaly
    • -
  • ssdp
    • -
  • telnet
    • -
  • websocket
    • -
  • first_seen
    • -
-
- - -## Configure the Chronicle forwarder - -To configure the Chronicle forwarder, do the following: - -1. Set up a Chronicle forwarder. See [Install and configure the forwarder on Linux](https://cloud.google.com/chronicle/docs/install/forwarder-linux). - -2. Configure the Chronicle forwarder to listen for data. - - ```none - collectors: - - syslog: - common: - enabled: true - data_type: CORELIGHT - data_hint: - batch_n_seconds: 10 - batch_n_bytes: 1048576 - tcp_address: - tcp_buffer_size: 524288 - udp_address: - connection_timeout_sec: 60 - ``` - -## Configure the Corelight Sensor exporter - -1. Log into your Corelight Sensor as an administrator. -2. Select the **Export** tab. -3. Find and enable **EXPORT TO SYSLOG** option. -4. Under **EXPORT TO SYSLOG**, configure: - * **SYSLOG SERVER**: Specify the IP address and port of the Chronicle forwarder syslog listener. - * Navigate to **Advanced Settings > SYSLOG FORMAT**, and change the setting to **Legacy**. - - -![Corelight Sensor Configuration](images/chronicle.jpg) -5. Click **Apply Changes**. - -## Field mapping reference - -This section explains how the Chronicle parser maps Corelight fields to Chronicle Unified Data Model (UDM) fields. -

Field mapping reference: CORELIGHT - Common Fields

- -The following table lists common fields of the CORELIGHT log and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.vendor_nameThe metadata.vendor_name UDM field is set to Corelight.
_path (string)metadata.product_event_type
_system_name (string)observer.hostname
ts (time)metadata.event_timestamp
uid (string)about.labels [uid], network.session_id
id.orig_h (string - addr)principal.ip
id.orig_p (integer - port)principal.port
id.resp_h (string - addr)target.ip
id.resp_p (integer - port)target.port
uids (array[string] - vector of string)additional.fields [uid]
count (integer - int)additional.fields [count]
ts_lastadditional.fields [ts_last]
- -
-

Field mapping reference: CORELIGHT - conn, conn_red, conn_long, conn_agg

- -The following table lists the log fields of the conn, conn_red, conn_long, conn_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
service (string)network.application_protocol
duration (number - interval)network.session_duration
orig_bytes (integer - count)network.sent_bytes
resp_bytes (integer - count)network.received_bytes
conn_state (string)metadata.descriptionIf the conn_state log field value is equal to S0, then the metadata.description UDM field is set to S0: Connection attempt seen, no reply.

Else, if the conn_state log field value is equal to S1, then the metadata.description UDM field is set to S1: Connection established, not terminated.

Else, if the conn_state log field value is equal to S2, then the metadata.description UDM field is set to S2: Connection established and close attempt by originator seen (but no reply from responder).

Else, if the conn_state log field value is equal to S3, then the metadata.description UDM field is set to S3: Connection established and close attempt by responder seen (but no reply from originator).

Else, if the conn_state log field value is equal to SF, then the metadata.description UDM field is set to SF: Normal SYN/FIN completion.

Else, if the conn_state log field value is equal to REJ, then the metadata.description UDM field is set to REJ: Connection attempt rejected.

Else, if the conn_state log field value is equal to RSTO, then the metadata.description UDM field is set to RSTO: Connection established, originator aborted (sent a RST).

Else, if the conn_state log field value is equal to RSTOS0, then the metadata.description UDM field is set to RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

Else, if the conn_state log field value is equal to RSTOSH, then the metadata.description UDM field is set to RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

Else, if the conn_state log field value is equal to RSTR, then the metadata.description UDM field is set to RSTR: Established, responder aborted.

Else, if the conn_state log field value is equal to SH, then the metadata.description UDM field is set to SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

Else, if the conn_state log field value is equal to SHR, then the metadata.description UDM field is set to SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

Else, if the conn_state log field value is equal to OTH, then the metadata.description UDM field is set to OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed).
local_orig (boolean - bool)about.labels [local_orig]
local_resp (boolean - bool)about.labels [local_resp]
missed_bytes (integer - count)about.labels [missed_bytes]
history (string)about.labels [history]
orig_pkts (integer - count)network.sent_packets
orig_ip_bytes (integer - count)principal.labels [orig_ip_bytes]
resp_pkts (integer - count)network.received_packets
resp_ip_bytes (integer - count)target.labels [resp_ip_bytes]
tunnel_parents (array[string] - set[string])intermediary.labels [tunnel_parent]
orig_cc (string)principal.ip_geo_artifact.location.country_or_region
resp_cc (string)target.ip_geo_artifact.location.country_or_region
suri_ids (array[string] - set[string])security_result.rule_id
spcap.url (string)security_result.url_back_to_product
spcap.rule (integer - count)security_result.rule_labels [spcap_rule]
spcap.trigger (string)security_result.detection_fields [spcap_trigger]
app (array[string] - vector of string)about.application
corelight_shunted (boolean - bool)about.labels [corelight_shunted]
orig_shunted_pkts (integer - count)principal.labels [orig_shunted_pkts]
orig_shunted_bytes (integer - count)principal.labels [orig_shunted_bytes]
resp_shunted_pkts (integer - count)target.labels [resp_shunted_pkts]
resp_shunted_bytes (integer - count)target.labels [resp_shunted_bytes]
orig_l2_addr (string)principal.mac
resp_l2_addr (string)target.mac
id_orig_h_n.src (string)principal.labels [id_orig_h_n_src]
id_orig_h_n.vals (array[string] - set[string])principal.labels [id_orig_h_n_val]
id_resp_h_n.src (string)target.labels [id_resp_h_n_src]
id_resp_h_n.vals (array[string] - set[string])target.labels [id_resp_h_n_val]
vlan (integer - int)intermediary.labels [vlan]
inner_vlan (integer - int)intermediary.labels [inner_vlan]
community_id (string)network.community_id
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
service (string)about.labels [service]
id_orig_h_nprincipal.ip
id_resp_h_ntarget.ip
netskope_site_idsadditional.fields[netskope_site_ids]Iterate through log field netskope_site_ids, then
netskope_site_id_%{index} log field is mapped to the additional.fields.key UDM field and netskope_site_id log field is mapped to the additional.fields.value UDM field.
netskope_user_idsadditional.fields[netskope_user_ids]Iterate through log field netskope_user_ids, then
netskope_user_id_%{index} log field is mapped to the additional.fields.key UDM field and netskope_user_id log field is mapped to the additional.fields.value UDM field.
write_tsadditional.fields[write_ts]
spcap.urls (array[string] - vector of string)security_result.url_back_to_productIterate through log field spcap.urls, then
spcap.urls log field is mapped to the security_result.url_back_to_product UDM field.
community_ids (array[string] - vector of string)network.community_idIterate through log field community_ids, then
if index is equal to 0 then, community_id log field is mapped to the network.community_id UDM field.
Else, community_id_%{index} log field is mapped to the additional.fields.key UDM field and community_id log field is mapped to the additional.fields.value UDM field.
- -
-

Field mapping reference: CORELIGHT - dce_rpc

- -The following table lists the log fields of the dce_rpc log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
rtt (number - interval)network.session_duration
named_pipe (string)intermediary.resource.name
intermediary.resource.resource_typeIf the named_pipe log field value is not empty, then the intermediary.resource.resource_type UDM field is set to PIPE.
endpoint (string)target.labels [endpoint]
operation (string)target.labels [operation]
network.application_protocolThe network.application_protocol UDM field is set to DCERPC.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
operation, endpoint, named_pipe (string)metadata.descriptionThe metadata.description UDM field is set with operation, endpoint, named_pipe log fields as "operation operation on endpoint using named pipe named_pipe".
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
- -
-

Field mapping reference: CORELIGHT - dns, dns_red, dns_agg

- -The following table lists the log fields of the dns, dns_red, dns_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
proto (string - enum)network.ip_protocol
trans_id (integer - count)network.dns.id
rtt (number - interval)network.session_duration
query (string)network.dns.questions.name
qclass (integer - count)network.dns.questions.class
qclass_name (string)about.labels [qclass_name]
qtype (integer - count)network.dns.questions.type
qtype_name (string)about.labels [qtype_name]
rcode (integer - count)network.dns.response_code
rcode_name (string)about.labels [rcode_name]
AA (boolean - bool)network.dns.authoritative
TC (boolean - bool)network.dns.truncated
RD (boolean - bool)network.dns.recursion_desired
RA (boolean - bool)network.dns.recursion_available
Z (integer - count)about.labels [Z]
answers (array[string] - vector of string)network.dns.answers.name
TTLs (array[number] - vector of interval)network.dns.answers.ttl
rejected (boolean - bool)network.dns.response
is_trusted_domain (string)about.labels [is_trusted_domain]
icann_host_subdomain (string)about.labels [icann_host_subdomain]
icann_domain (string)network.dns_domain
icann_tld (string)about.labels [icann_tld]
num (integer - count)security_result.detection_fields [num]
- -
-

Field mapping reference: CORELIGHT - http, http_red, http2, http_agg

- -The following table lists the log fields of the http, http_red, http2, http_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_HTTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
trans_depth (integer - count)about.labels [trans_depth]
method (string)network.http.method
host (string)target.hostname
uri (string)target.url
referrer (string)network.http.referral_url
version (string)network.application_protocol_version
user_agent (string)network.http.user_agent
origin (string)principal.hostname
request_body_len (integer - count)network.sent_bytes
response_body_len (integer - count)network.received_bytes
status_code (integer - count)network.http.response_code
status_msg (string)about.labels [status_msg]
info_code (integer - count)about.labels [info_code]
info_msg (string)about.labels [info_msg]
tags (array[string] - set[enum])about.labels [tags]
username (string)principal.user.user_display_name
password (string)extensions.auth.auth_details
proxied (array[string] - set[string])intermediary.hostname
orig_fuids (array[string] - vector of string)about.labels [orig_fuid]
orig_filenames (array[string] - vector of string)src.file.namesThe orig_filenames log field is mapped to src.file.names UDM field when index value in orig_filenames is equal to 0.

For every other index value, orig_filenames log field is mapped to the about.file.names. -
orig_mime_types (array[string] - vector of string)src.file.mime_typeThe orig_mime_types log field is mapped to src.file.mime_type UDM field when index value in orig_mime_types is equal to 0.

For every other index value, orig_mime_types log field is mapped to the about.file.mime_type. -
resp_fuids (array[string] - vector of string)about.labels [resp_fuid]
resp_filenames (array[string] - vector of string)target.file.namesThe resp_filenames log field is mapped to target.file.names UDM field when index value in resp_filenames is equal to 0.

For every other index value, resp_filenames log field is mapped to the about.file.names. -
resp_mime_types (array[string] - vector of string)target.file.mime_typeThe resp_mime_types log field is mapped to target.file.mime_type UDM field when index value in resp_mime_types is equal to 0.

For every other index value, resp_mime_types log field is mapped to the about.file.mime_type. -
post_body (string)about.labels [post_body]
stream_id (integer - count)about.labels [stream_id]
encoding (string)about.labels [encoding]
push (boolean - bool)about.labels [push]
versions (array[float] - vector of float)network.application_protocol_versionIterate through log field versions, then
if index is equal to 0 then, version log field is mapped to the network.application_protocol_version UDM field.
Else, version_%{index} log field is mapped to the additional.fields.key UDM field and version log field is mapped to the additional.fields.value UDM field.
user_agents (array[string] - vector of string)network.http.user_agentIterate through log field user_agents, then
if index is equal to 0 then, user_agent log field is mapped to the network.http.user_agent UDM field.
Else, user_agent_%{index} log field is mapped to the additional.fields.key UDM field and user_agent log field is mapped to the additional.fields.value UDM field.
- -
-

Field mapping reference: CORELIGHT - smtp_links

- -The following table lists the log fields of the smtp_links log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMTP.
fuid (string)about.labels [fuid]
link (string)about.url
domain (string)about.domain.name
- -
-

Field mapping reference: CORELIGHT - irc

- -The following table lists the log fields of the irc log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
nick (string)principal.user.user_display_name
user (string)principal.user.useridIf the user log field value is less than or equal to 255, then the user log field is mapped to the principal.user.userid UDM field.

Else, the user log field is mapped to the about.labels UDM field.
command, value, addlprincipal.process.command_line
dcc_file_name (string)src.file.names
dcc_file_size (integer - count)src.file.size
dcc_mime_type (string)src.file.mime_type
fuid (string)about.labels [fuid]
- -
-

Field mapping reference: CORELIGHT - files, files_red, files_agg

- -The following table lists the log fields of the files, files_red, files_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fuid (string)about.labels [fuid]
tx_hosts (array[string] - set[addr])principal.ip
rx_hosts (array[string] - set[addr])target.ip
conn_uids (array[string] - set[string])about.labels [conn_uid]
source (string)about.labels [source]
depth (integer - count)about.labels [depth]
analyzers (array[string] - set[string])about.labels [analyzer]
mime_type (string)about.file.mime_type
filename (string)about.file.names
duration (number - interval)about.labels [duration]
local_orig (boolean - bool)about.labels [local_orig]
is_orig (boolean - bool)about.labels [is_orig]
seen_bytes (integer - count)about.file.size
total_bytes (integer - count)about.labels [total_bytes]
missing_bytes (integer - count)about.labels [missing_bytes]
overflow_bytes (integer - count)about.labels [overflow_bytes]
timedout (boolean - bool)about.labels [timedout]
parent_fuid (string)about.labels [parent_fuid]
md5 (string)about.file.md5
sha1 (string)about.file.sha1
sha256 (string)about.file.sha256
extracted (array[string] - set[string])about.file.names
extracted_cutoff (boolean - bool)about.labels [extracted_cutoff]
extracted_size (integer - count)about.labels [extracted_size]
num (integer - count)about.labels [num]
mime_types (array[string] - vector of string)target.file.mime_typeIterate through log field mime_type, then
if index is equal to 0 then, mime_type log field is mapped to the target.file.mime_type UDM field.
Else, mime_type_%{index} log field is mapped to the additional.fields.key UDM field and mime_type log field is mapped to the additional.fields.value UDM field.
timedouts (array[boolean] - vector of bool)additional.fields[timedouts]Iterate through log field timedouts, then
timedout_%{index} log field is mapped to the additional.fields.key UDM field and timedouts log field is mapped to the additional.fields.value UDM field.
- -
-

Field mapping reference: CORELIGHT - notice

- -The following table lists the log fields of the notice log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fuid (string)about.labels [fuid]
file_mime_type (string)target.file.mime_type
file_desc (string)about.labels [file_desc]
proto (string - enum)network.ip_protocol
note (string - enum)security_result.description
msg (string)metadata.description
sub (string)about.labels [sub]
src (string - addr)principal.ip
dst (string - addr)target.ip
p (integer - port)about.port
n (integer - count)about.labels [n]
peer_descr (string)about.labels [peer_descr]
security_result.action The security_result.action UDM field is set to ALLOW.
actions (array[string] - set[enum])security_result.action_details
suppress_for (number - interval)about.labels [suppress_for]
remote_location.country_code (string)about.location.country_or_regionThe about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.region (string)about.location.country_or_regionThe about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.city (string)about.location.city
remote_location.latitude (number - double)about.location.region_coordinates.latitude
remote_location.longitude (number - double)about.location.region_coordinates.longitude
security_result.severityIf the severity.level log field value is equal to 0 or 1 or 2, then the security_result.severity UDM field is set to CRITICAL.

Else, if the severity.level log field value is equal to 3, then the security_result.severity UDM field is set to ERROR.

Else, if the severity.level log field value is equal to 4, then the security_result.severity UDM field is set to HIGH.

Else, if the severity.level log field value is equal to 5, then the security_result.severity UDM field is set to LOW.

Else, if the severity.level log field value is equal to 6, then the security_result.severity UDM field is set to INFORMATIONAL.

Else, the security_result.severity UDM field is set to UNKNOWN_SEVERITY.
severity.namesecurity_result.severity_details
severity.levelsecurity_result.detection_fields [severity_level]
orig_vulnerable_host.cve (array[string] - vector of string)principal.asset.vulnerabilities.cve_id
- -
-

Field mapping reference: CORELIGHT - smb_files

- -The following table lists the log fields of the smb_files log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeIf the action log field value is equal to SMB::FILE_READ, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the action log field value is equal to SMB::FILE_WRITE, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the action log field value is equal to SMB::FILE_OPEN, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the action log field value is equal to SMB::FILE_CLOSE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, if the action log field value is equal to SMB::FILE_DELETE, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the action log field value is equal to SMB::FILE_RENAME, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the action log field value is equal to SMB::FILE_SET_ATTRIBUTE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMB.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
action, namemetadata.descriptionThe metadata.description UDM field is set with action, name log fields as "action: action on: name".
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
fuid (string)about.labels [fuid]
action (string - enum)target.labels [action]
path (string)target.file.full_path
name (string)target.file.names
size (integer - count)target.file.size
prev_name (string)src.file.names
times.modified (time)target.file.last_modification_time
times.accessed (time)target.file.last_seen_time
times.created (time)target.file.first_seen_time
times.changed (time)target.labels [times_changed]
data_offset_req (integer - count)target.labels [data_offset_req]
data_len_req (integer - count)target.labels [data_len_req]
data_len_rsp (integer - count)target.labels [data_len_rsp]
- -
-

Field mapping reference: CORELIGHT - smb_mapping

- -The following table lists the log fields of the smb_mapping log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMB.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
path (string)target.resource.attribute.labels [path]
service (string)target.application
native_file_system (string)target.resource.attribute.labels [native_file_system]
share_type (string)target.resource.resource_typeIf the share_type log field value is equal to DISK, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.

Else, if the share_type log field value is equal to PIPE, then the target.resource.resource_type UDM field is set to PIPE.

Else, the target.resource.resource_type UDM field is set to UNSPECIFIED.
share_type (string)target.resource.resource_subtype
- -
-

Field mapping reference: CORELIGHT - ssl, ssl_red, ssl_agg

- -The following table lists the log fields of the ssl, ssl_red, ssl_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to HTTPS.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
version (string)network.tls.version
cipher (string)network.tls.cipher
curve (string)network.tls.curve
server_name (string)network.tls.client.server_name
resumed (boolean - bool)network.tls.resumed
last_alert (string)security_result.description
next_protocol (string)network.tls.next_protocol
established (boolean - bool)network.tls.established
ssl_history (string)about.labels [ssl_history]
cert_chain_fps (array[string] - vector of string)target.labels [cert_chain_fps]
client_cert_chain_fps (array[string] - vector of string)principal.labels [client_cert_chain_fps]
sni_matches_cert (boolean - bool)about.labels [sni_matches_cert]
validation_status (string)security_result.description
ja3 (string)network.tls.client.ja3
ja3s (string)network.tls.server.ja3s
- -
-

Field mapping reference: CORELIGHT - rdp

- -The following table lists the log fields of the rdp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
cookie (string)principal.user.userid
result (string)about.labels [result]
security_protocol (string)target.labels [security_protocol]
client_channels (array[string] - vector of string)intermediary.labels [client_channels]
keyboard_layout (string)principal.labels [keyboard_layout]
client_build (string)principal.asset.software.version
client_name (string)principal.hostname
client_dig_product_id (string)principal.asset.product_object_id
desktop_width (integer - count)principal.labels [desktop_width]
desktop_height (integer - count)principal.labels [desktop_height]
requested_color_depth (string)principal.labels [requested_color_depth]
cert_type (string)about.labels [cert_type]
cert_count (integer - count)about.labels [cert_count]
cert_permanent (boolean - bool)about.labels [cert_permanent ]
encryption_level (string)about.labels [encryption_level]
encryption_method (string)about.labels [encryption_method]
auth_success (boolean - bool)about.labels [auth_success]security_result.actionIf the auth_success log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, the security_result.action UDM field is set to FAIL.
channels_joined (integer - int)intermediary.labels [channels_joined]
inferences (array[string] - set[string])about.labels [inferences]
rdpeudp_uid (string)about.labels [rdpeudp_uid]
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
rdfp_string (string)principal.labels [rdfp_string]
rdfp_hash (string)principal.labels [rdfp_hash]
result, security_protocolsecurity_result.descriptionThe security_result.description UDM field is set with result, security_protocol log fields as "result connection with security protocol security_protocol".
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
- -
-

Field mapping reference: CORELIGHT - sip

- -The following table lists the log fields of the sip log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SIP.
trans_depth (integer - count)about.labels [trans_depth]
method (string)about.labels [method]
uri (string)target.url
date (string)about.labels [date]
request_from (string)principal.labels [request_from]
request_to (string)target.labels [request_to]
response_fromprincipal.labels [response_from]
response_to (string)target.labels [response_to]
reply_to (string)about.labels [reply_to]
call_id (string)network.session_id
seq (string)about.labels [seq]
subject (string)about.labels [subject]
request_path (array[string] - vector of string)about.labels [request_path]
response_path (array[string] - vector of string)about.labels [response_path]
user_agent (string)about.labels [user_agent]
status_code (integer - count)about.labels [status_code]
status_msg (string)security_result.description
warning (string)security_result.summary
request_body_len (integer - count)network.sent_bytes
response_body_len (integer - count)network.received_bytes
content_type (string)about.labels [content_type]
- -
-

Field mapping reference: CORELIGHT - intel

- -The following table lists the log fields of the intel log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
seen.indicator_type (string - enum)entity.metadata.entity_typeIf the indicator.type log field value is equal to Intel::ADDR or Intel::SUBNET, then the metadata.entity_type UDM field is set to IP_ADDRESS.

Else, if the indicator.type log field value is equal to Intel::SOFTWARE or Intel::CERT_HASH or Intel::PUBKEY_HASH, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the indicator.type log field value is equal to Intel::URL, then the metadata.entity_type UDM field is set to URL.

Else, if the indicator.type log field value is equal to the Intel::EMAIL or Intel::USER_NAME, then the metadata.entity_type UDM field is set to USER.

Else, if the indicator.type log field value is equal to Intel::DOMAIN, then the metadata.entity_type UDM field is set to DOMAIN_NAME.

Else, if the indicator.type log field value is equal to the Intel::FILE_HASH or Intel::FILE_NAME, then the metadata.entity_type UDM field is set to FILE.

Else, the metadata.entity_type UDM field is set to RESOURCE.
seen.indicator (string)entity.ipIf the indicator.type log field value is equal to Intel::ADDR or Intel::SUBNET, then the seen.indicator log field is mapped to the entity.ip UDM field.
seen.indicator (string)entity.urlIf the indicator.type log field value is equal to Intel::URL, then the seen.indicator log field is mapped to the entity.url UDM field.
seen.indicator (string)entity.domain.nameIf the indicator.type log field value is equal to Intel::DOMAIN, then the seen.indicator log field is mapped to the entity.domain.name UDM field.
seen.indicator (string)entity.user.email_addressIf the indicator.type log field value is equal to Intel::USER_NAME or Intel::EMAIL, then the seen.indicator log field is mapped to the entity.user.email_address UDM field.
seen.indicator (string)entity.file.namesIf the indicator.type log field value is equal to Intel::FILE_HASH or Intel::FILE_NAME, then the seen.indicator log field is mapped to the entity.file.full_path UDM field.
seen.indicator (string)entity.resource.nameIf the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicator log field is mapped to the entity.resource.name UDM field.
seen.indicator_type (string - enum)entity.resource.resource_sub_typeIf the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicator_type log field is mapped to the entity.resource.resource_sub_type UDM field.
seen.where (string - enum)entity.metadata.source_labels [seen_where]
matched (array[string] - set[enum])entity.labels [matched]
sources (array[string] - set[string])entity.metadata.source_labels [source]
fuid (string)about.labels [fuid]
file_mime_type (string)entity.file.mime_type
file_desc (string)metadata.threat.detection_fields [file_desc]
desc (array[string] - set[string])ioc.descriptionThe desc log field is mapped to ioc.description UDM field when index value in desc is equal to 0. -

For every other index value, entity.labels.key UDM field is set to desc and desc log field is mapped to the entity.labels.value.
url (array[string] - set[string])metadata.threat.url_back_to_product
confidence (array[number] - set[double])ioc.confidence_scoreThe confidence log field is mapped to ioc.confidence_score UDM field when index value in confidence is equal to 0. -

For every other index value, entity.labels.key UDM field is set to confidence and confidence log field is mapped to the entity.labels.value.
firstseen (array[string] - set[string])ioc.active_timerange.startThe firstseen log field is mapped to ioc.active_timerange.start UDM field when index value in firstseen is equal to 0. -

For every other index value, entity.labels.key UDM field is set to firstseen and firstseen log field is mapped to the entity.labels.value.
lastseen (array[string] - set[string])ioc.active_timerange.endThe lastseen log field is mapped to ioc.active_timerange.end UDM field when index value in lastseen is equal to 0. -

For every other index value, entity.labels.key UDM field is set to lastseen and lastseen log field is mapped to the entity.labels.value.
associated (array[string] - set[string])entity.labels [associated]
category (array[string] - set[string])ioc.categorizationThe category log field is mapped to ioc.categorization UDM field when index value in category is equal to 0. -

For every other index value, entity.labels.key UDM field is set to category and category log field is mapped to the entity.labels.value.
campaigns (array[string] - set[string])entity.labels [campaign]
reports (array[string] - set[string])entity.labels [report]
seen.indicator (string)about.labels [indicator]
seen.indicator_type (string - enum)about.labels [indicator_type]
seen.where (string - enum)about.labels [where]
sources (array[string] - set[string])about.labels [sources]
confidence (array[number] - set[double])about.labels [confidence]
category (array[string] - set[string])about.labels [category]
- -
-

Field mapping reference: CORELIGHT - smtp

- -The following table lists the log fields of the smtp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMTP.
trans_depth (integer - count)about.labels [trans_depth]
helo (string)network.smtp.helo
mailfrom (string)network.smtp.mail_from
rcptto (array[string] - set[string])network.smtp.rcpt_to
date (string)about.labels [date]
from (string)network.email.from
to (array[string] - set[string])network.email.to
cc (array[string] - set[string])network.email.cc
reply_to (string)network.email.reply_to
msg_id (string)network.email.mail_id
in_reply_to (string)about.labels [in_reply_to]
subject (string)network.email.subject
x_originating_ip (string - addr)principal.ip
first_received (string)about.labels [first_received]
second_received (string)about.labels [second_received]
last_reply (string)network.smtp.server_response
path (array[string] - vector of addr)network.smtp.message_pathIterate through log field path, then
if the index value is equal to 0 then, path log field is mapped to the network.smtp.message_path UDM field.
Else, path log field is mapped to the intermediary.ip UDM field.
user_agent (string)principal.application
tls (boolean - bool)network.smtp.is_tls
fuids (array[string] - vector of string)about.labels [fuid]
is_webmail (boolean - bool)network.smtp.is_webmail
urls (array[string] - set[string])about.url
domains (array[string] - set[string])about.domain.name
- -
-

Field mapping reference: CORELIGHT - ssh

- -The following table lists the log fields of the ssh log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SSH.
version (integer - count)network.application_protocol_versionThe network.application_protocol_version UDM field is set with version log field as "SSH version".
auth_success (boolean - bool)security_result.action_details
auth_success (boolean - bool)security_result.actionIf the auth_success log field value is not equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to BLOCK.
auth_attempts (integer - count)extensions.auth.auth_detailsThe extensions.auth.auth_details UDM field is set with auth_attempts log field as "auth_attempts: auth_attempts".
direction (string - enum)network.directionIf the direction log field value is equal to INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the direction log field value is equal to OUTBOUND, then the network.direction UDM field is set to OUTBOUND.
client (string)principal.asset.software.version
server (string)target.asset.software.version
cipher_alg (string)network.tls.cipher
mac_alg (string)security_result.detection_fields [mac_alg]
compression_alg (string)security_result.detection_fields [compression_alg]
kex_alg (string)security_result.detection_fields [kex_alg]
host_key_alg (string)network.tls.server.certificate.version
host_key (string)network.tls.server.certificate.sha256
remote_location.country_code (string)target.location.country_or_region
remote_location.region (string)target.location.country_or_region
remote_location.city (string)target.location.city
remote_location.latitude (number - double)target.location.region_coordinates.latitude
remote_location.longitude (number - double)target.location.region_coordinates.longitude
hasshVersion (string)about.labels [hassh_version]
hassh (string)principal.labels [hassh]
hasshServer (string)target.labels [hassh_server]
cshka (string)about.labels [cshka]
hasshAlgorithms (string)about.labels [hassh_algorithms]
sshka (string)about.labels [sshka]
hasshServerAlgorithms (string)about.labels [hassh_server_algorithms]
inferences (array[string] - set[string])security_result.summary, security_result.description,security_result.detection_fields[inferences]If the inferences log field value is equal to ABP, then the security_result.summary UDM field is set to Client Authentication Bypass and the security_result.description UDM field is set to A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins.

- If the inferences log field value is equal to AFR, then the security_result.summary UDM field is set to SSH Agent Forwarding Requested and the security_result.description UDM field is set to Agent Forwarding is requested by the Client.

- If the inferences log field value is equal to APWA, then the security_result.summary UDM field is set to Automated Password Authentication and the security_result.description UDM field is set to The client authenticated with an automated password tool (like sshpass).

- If the inferences log field value is equal to AUTO, then the security_result.summary UDM field is set to Automated Interaction and the security_result.description UDM field is set to The client is a script automated utility and not driven by a user.

- If the inferences log field value is equal to BAN, then the security_result.summary UDM field is set to Server Banner and the security_result.description UDM field is set to The server sent the client a pre-authentication banner, likely for legal reasons.

- If the inferences log field value is equal to BF, then the security_result.summary UDM field is set to Client Brute Force Guessing and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

- If the inferences log field value is equal to BFS, then the security_result.summary UDM field is set to Client Brute Force Success and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

- If the inferences log field value is equal to CTS, then the security_result.summary UDM field is set to Client Trusted Server and the security_result.description UDM field is set to The client already has an entry in its known_hosts file for this server.

- If the inferences log field value is equal to CUS, then the security_result.summary UDM field is set to Client Untrusted Server and the security_result.description UDM field is set to The client did not have an entry in its known_hosts file for this server.

- If the inferences log field value is equal to IPWA, then the security_result.summary UDM field is set to Interactive Password Authentication and the security_result.description UDM field is set to The client interactively typed their password to authenticate.

- If the inferences log field value is equal to KS, then the security_result.summary UDM field is set to Keystrokes and the security_result.description UDM field is set to An interactive session occurred in which the client set user-driven keystrokes to the server.

- If the inferences log field value is equal to LFD, then the security_result.summary UDM field is set to Large Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

- If the inferences log field value is equal to LFU, then the security_result.summary UDM field is set to Large Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets.

- If the inferences log field value is equal to MFA, then the security_result.summary UDM field is set to Multifactor Authentication and the security_result.description UDM field is set to The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it.

- If the inferences log field value is equal to NA, then the security_result.summary UDM field is set to None Authentication and the security_result.description UDM field is set to The client successfully authenticated using the None method.

- If the inferences log field value is equal to NRC, then the security_result.summary UDM field is set to No Remote Command and the security_result.description UDM field is set to The -N flag was used in SSH authentication.

- If the inferences log field value is equal to PKA, then the security_result.summary UDM field is set to Public Key Authentication and the security_result.description UDM field is set to The client automatically authenticated using pubkey authentication.

- If the inferences log field value is equal to RSI, then the security_result.summary UDM field is set to Reverse SSH Initiated and the security_result.description UDM field is set to The Reverse session is initiated from the server back to the client.

- If the inferences log field value is equal to RSIA, then the security_result.summary UDM field is set to Reverse SSH Initiated Automated and the security_result.description UDM field is set to The inititation of the Reverse session happened very early in the packet stream, indicating automation.

- If the inferences log field value is equal to RSK, then the security_result.summary UDM field is set to Reverse SSH Keystrokes and the security_result.description UDM field is set to Keystrokes are detected within the Reverse tunnel.

- If the inferences log field value is equal to RSL, then the security_result.summary UDM field is set to Reverse SSH Logged In and the security_result.description UDM field is set to The Reverse Tunnel login has succeeded.

- If the inferences log field value is equal to RSP, then the security_result.summary UDM field is set to Reverse SSH Provisioned and the security_result.description UDM field is set to The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time.

- If the inferences log field value is equal to SA, then the security_result.summary UDM field is set to Authentication Scanning and the security_result.description UDM field is set to The client scanned authentication method with the server and then disconnected.

- If the inferences log field value is equal to SC, then the security_result.summary UDM field is set to Capabilities Scanning and the security_result.description UDM field is set to The client exchanged capabilities with the server and then disconnected.

- If the inferences log field value is equal to SFD, then the security_result.summary UDM field is set to Small Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

- If the inferences log field value is equal to SFU, then the security_result.summary UDM field is set to Small Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server.

- If the inferences log field value is equal to SP, then the security_result.summary UDM field is set to Other Scanning and the security_result.description UDM field is set to A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.

- If the inferences log field value is equal to SV, then the security_result.summary UDM field is set to Version Scanning and the security_result.description UDM field is set to A client exchanged version strings with the server and than disconnected.

- If the inferences log field value is equal to UA, then the security_result.summary UDM field is set to Unknown Authentication and the security_result.description UDM field is set to The authentication method is not determinated or is unknown.
- -
-

Field mapping reference: CORELIGHT - suricata_corelight

- -The following table lists the log fields of the suricata_corelight log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Suricata.
id.vlan (integer - count)intermediary.labels [id_vlan]
id.vlan_inner (integer - count)intermediary.labels [id_vlan_inner]
icmp_type (integer - count)about.labels [icmp_type]
icmp_code (integer - count)about.labels [icmp_code]
suri_id (string)metadata.product_log_id
service (string)network.application_protocol
flow_id (integer - count)network.session_id
tx_id (integer - count)about.labels [tx_id]
pcap_cnt (integer - count)about.labels [pcap_cnt]
alert.action (string)security_result.action_details
alert.gid (integer - count)security_result.detection_fields [alert_gid]
alert.signature_id (integer - count)security_result.rule_id
alert.rev (integer - count)security_result.rule_version
alert.signature (string)security_result.summary
alert.signature (string)security_result.rule_name
alert.category (string)security_result.category_details
alert.severity (integer - count)security_result.severity_details
alert.metadata (array[string] - vector of string)security_result.rule_labels[alert_metadata]
community_id (string)network.community_id
payload (string)about.labels [payload]
packet (string)about.labels [packet]
metadata (array[string] - vector of string)security_result.rule_labels[metadata]
orig_cve (string)extensions.vulns.vulnerabilities.cve_id
resp_cve (string)extensions.vulns.vulnerabilities.cve_id
idm.is_alertThe idm.is_alert UDM field is set to true.
idm.is_significantThe idm.is_significant UDM field is set to true.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
orig_vulnerable_host.cve (array[string] - vector of string)principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.hostname (string)principal.asset.hostname
orig_vulnerable_host.host_uid (string)about.labels [orig_vulnerable_host_uid]
orig_vulnerable_host.machine_domain (string)principal.asset.network_domain
orig_vulnerable_host.os_version (string)principal.asset.platform_software.platform_version
orig_vulnerable_host.source (string)principal.asset.vulnerabilities.cve_description
resp_vulnerable_host.cve (string)target.asset.vulnerabilities.cve_id
resp_vulnerable_host.hostname (string)target.asset.hostname
resp_vulnerable_host.host_uid (string)about.labels [resp_vulnerable_host_uid]
resp_vulnerable_host.machine_domain (string)target.asset.network_domain
resp_vulnerable_host.os_version (string)target.asset.platform_software.platform_version
resp_vulnerable_host.source (string)target.asset.vulnerabilities.cve_description
service (string)about.labels [service]
- -
-

Field mapping reference: CORELIGHT - bacnet

- -The following table lists the log fields of the bacnet log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
bvlc_function (string)about.labels [bvlc_function]
bvlc_len (integer - count)about.labels [bvlc_len]
apdu_type (string)about.labels [apdu_type]
service_choice (string)about.labels [service_choice]
data (array[string] - vector of string)about.labels [data]
- -
-

Field mapping reference: CORELIGHT - cip

- -The following table lists the log fields of the cip log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
service (string)about.labels [service]
status (string)about.labels [status]
tags (string)about.labels [tag]
- -
-

Field mapping reference: CORELIGHT - corelight_burst

- -The following table lists the log fields of the corelight_burst log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
orig_size (integer - count)network.sent_bytes
resp_size (integer - count)network.received_bytes
mbps (number - double)about.labels [mbps]
age_of_conn (number - interval)about.labels [age_of_conn]
- -
-

Field mapping reference: CORELIGHT - corelight_overall_capture_loss

- -The following table lists the log fields of the corelight_overall_capture_loss log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
gaps (number - double)security_result.detection_fields [gaps]
acks (number - double)security_result.detection_fields [acks]
percent_lost (number - double)security_result.detection_fields [percent_lost]
metadata.descriptionThe metadata.description UDM field is set with _system_name, percent_lost, ts. log fields as "node _system_name experienced percent_lost% packet loss at ts.".
- -
-

Field mapping reference: CORELIGHT - corelight_profiling

- -The following table lists the log fields of the corelight_profiling log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
node (string)principal.hostname
prof.core_stack (string)about.labels [prof_core_stack]
prof.script_stack (string)about.labels [prof_script_stack]
prof.sched_wait_ns (integer - count)about.labels [prof_sched_wait_ns]
- -
-

Field mapping reference: CORELIGHT - datared

- -The following table lists the log fields of the datared log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
conn_red (integer - count)about.labels [conn_red]
conn_total (integer - count)about.labels [conn_total]
dns_red (integer - count)about.labels [dns_red]
dns_total (integer - count)about.labels [dns_total]
dns_coal_miss (integer - count)about.labels [dns_coal_miss]
files_red (integer - count)about.labels [files_red]
files_total (integer - count)about.labels [files_total]
files_coal_miss (integer - count)about.labels [files_coal_miss]
http_red (integer - count)about.labels [http_red]
http_total (integer - count)about.labels [http_total]
ssl_red (integer - count)about.labels [ssl_red]
ssl_total (integer - count)about.labels [ssl_total]
ssl_coal_miss (integer - count)about.labels [ssl_coal_miss]
weird_red (integer - count)about.labels [weird_red]
weird_total (integer - count)about.labels [weird_total]
x509_red (integer - count)about.labels [x509_red]
x509_total (integer - count)about.labels [x509_total]
x509_coal_miss (integer - count)about.labels [x509_coal_miss]
- -
-

Field mapping reference: CORELIGHT - dhcp

- -The following table lists the log fields of the dhcp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DHCP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DHCP.
uids (array[string] - set[string])about.labels [uid]
client_addr (string - addr)network.dhcp.ciaddr
server_addr (string - addr)network.dhcp.siaddr
mac (string)network.dhcp.chaddr
host_name (string)network.dhcp.client_hostname
client_fqdn (string)principal.domain.name
domain (string)target.domain.name
requested_addr (string - addr)network.dhcp.requested_address
assigned_addr (string - addr)network.dhcp.yiaddr
lease_time (number - interval)network.dhcp.lease_time_seconds
client_message (string)security_result.description
server_message (string)security_result.description
msg_types (array[string] - vector of string)network.dhcp.typeThe msg_types log field is mapped to network.dhcp.type UDM field when index value in msg_types is equal to 0. -

For every other index value, about.labels.key UDM field is set to msg_types and msg_types log field is mapped to the about.labels.value.
duration (number - interval)about.labels [duration]
- -
-

Field mapping reference: CORELIGHT - dga

- -The following table lists the log fields of the dga log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
query (string)network.dns.questions.name
family (string)about.labels [family]
qtype_name (string)about.labels [qtype_name]
rcode (integer - count)network.dns.response_code
is_collision_heavy (boolean - bool)security_result.detection_fields [is_collision_heavy]
ruse (boolean - bool)about.labels [ruse]
- -
-

Field mapping reference: CORELIGHT - dnp3

- -The following table lists the log fields of the dnp3 log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fc_request (string)about.labels [fc_request]
fc_reply (string)about.labels [fc_reply]
iin (integer - count)about.labels [iin]
- -
-

Field mapping reference: CORELIGHT - iso_cotp

- -The following table lists the log fields of the iso_cotp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
pdu_type (string)about.labels [pdu_type]
- -
-

Field mapping reference: CORELIGHT - kerberos

- -The following table lists the log fields of the kerberos log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to KRB5.
request_type (string)extensions.auth.auth_details
client (string)principal.hostname
service (string)target.application
success (boolean - bool)security_result.actionIf the success log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
error_msg (string)security_result.description
from (time)about.labels [from]
till (time)about.labels [till]
cipher (string)about.labels [cipher]
forwardable (boolean - bool)about.labels [forwardable]
renewable (boolean - bool)about.labels [renewable]
client_cert_subject (string)about.labels [client_cert_subject]
client_cert_fuid (string)about.labels [client_cert_fuid]
server_cert_subject (string)about.labels [server_cert_subject]
server_cert_fuid (string)about.labels [server_cert_fuid]
- -
-

Field mapping reference: CORELIGHT - ldap

- -The following table lists the log fields of the ldap log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to LDAP.
proto (string)about.labels [proto]
message_id (integer - int)about.labels [message_id]
version (integer - int)network.application_protocol_version
opcode (array[string] - set[string])security_result.detection_fields [opcode]
result (array[string] - set[string])security_result.detection_fields [result], security_result.actionIterate through log field result, then
if the result log field value contain one of the following values
  • ALLOW
  • ALLOW_WITH_MODIFICATION
  • BLOCK
  • CHALLENGE
  • FAIL
  • QUARANTINE
  • UNKNOWN_ACTION
then, result log field is mapped to the security_result.action UDM field.
diagnostic_message (array[string] - vector of string)security_result.description
object (array[string] - vector of string)target.resource.name, about.labels [object]Iterate through log field object, then
if the index value is equal to 0 then, object log field is mapped to the target.resource.name UDM field.
Else, the about.labels.key UDM field is set to object and %{object} log field is mapped to the about.labels.value UDM field.
argument (array[string] - vector of string)about.labels [argument]
- -
-

Field mapping reference: CORELIGHT - ldap_search

- -The following table lists the log fields of the ldap_search log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to LDAP.
proto (string)about.labels [proto]
message_id (integer - int)about.labels [message_id]
scope (array[string] - set[string])about.labels [scope]
deref (array[string] - set[string])about.labels [deref]
base_object (array[string] - vector of string)about.labels [base_object]
result_count (integer - count)security_result.detection_fields [result_count]
result (array[string] - set[string])security_result.detection_fields [result]
diagnostic_message (array[string] - vector of string)security_result.description
filter (string)about.labels [filter]
attributes (array[string] - vector of string)about.labels [attributes]
- -
-

Field mapping reference: CORELIGHT - local_subnets

- -The following table lists the log fields of the local_subnets log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
round (integer - count)about.labels [round]
ip_version (integer - count)about.labels [ip_version]
subnets (array[string] - set[subnet])about.labels [subnet]
component_ids (array[integer] - set[count])about.labels [component_id]
size_of_component (integer - count)about.labels [size_of_component]
bipartite (boolean - bool)about.labels [bipartite]
inferred_site (boolean - bool)about.labels [inferred_site]
other_ips (array[string] - set[addr])about.ip
- -
-

Field mapping reference: CORELIGHT - local_subnets_dj

- -The following table lists the log fields of the local_subnets_dj log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip_version (integer - count)about.labels [ip_version]
v (string - addr)about.ip
side (string)about.labels [side]
- -
-

Field mapping reference: CORELIGHT - local_subnets_graphs

- -The following table lists the log fields of the local_subnets_graphs log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip_version (integer - count)about.labels [ip_version]
v1 (string - addr)about.ip
v2 (string - addr)about.ip
- -
-

Field mapping reference: CORELIGHT - syslog

- -The following table lists the log fields of the syslog log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
proto (string - enum)network.ip_protocol
facility (string)about.labels [facility]
severity (string)security_result.severity, security_result.severity_detailsIf the severity log field value contain one of the following values
  • CRITICAL
  • ERROR
  • HIGH
  • INFORMATIONAL
  • LOW
  • MEDIUM
then, severity log field is mapped to the security_result.severity UDM field.
message (string)metadata.description
- -
-

Field mapping reference: CORELIGHT - tds

- -The following table lists the log fields of the tds log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
command (string)principal.process.command_line
- -
-

Field mapping reference: CORELIGHT - tds_rpc

- -The following table lists the log fields of the tds_rpc log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
procedure_name (string)about.labels [procedure_name]
parameters (array[string] - vector of string)about.labels [parameter]
- -
-

Field mapping reference: CORELIGHT - tds_sql_batch

- -The following table lists the log fields of the tds_sql_batch log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
target.resource.resource_typeThe target.resource.resource_type UDM field is set to DATABASE.
header_type (string)target.resource.attribute.labels [header_type]
query (string)target.resource.attribute.labels [query]
- -
-

Field mapping reference: CORELIGHT - traceroute

- -The following table lists the log fields of the traceroute log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
src (string - addr)principal.ip
dst (string - addr)target.ip
proto (string)network.ip_protocol
- -
-

Field mapping reference: CORELIGHT - tunnel

- -The following table lists the log fields of the tunnel log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
tunnel_type (string - enum)intermediary.labels [tunnel_type]
action (string - enum)security_result.action_details
security_result.descriptionThe security_result.description UDM field is set with action, tunnel_type log fields as "action action on tunnel type tunnel_type".
- -
-

Field mapping reference: CORELIGHT - weird, weird_red, weird_agg

- -The following table lists the log fields of the weird, weird_red, weird_agg log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
name (string)metadata.product_event_type
addl (string)metadata.description
notice (boolean - bool)about.labels [notice]
source (string)metadata.product_name
peer (string)observer.hostname
- -
-

Field mapping reference: CORELIGHT - wireguard

- -The following table lists the log fields of the wireguard log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
established (boolean - bool)about.labels [established]
initiations (integer - count)about.labels [initiations]
responses (integer - count)about.labels [responses]
- -
-

Field mapping reference: CORELIGHT - vpn

- -The following table lists the log fields of the vpn log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
vpn_type (string - enum)about.labels [vpn_type]
service (string)target.application
inferences (array[string] - set[string])metadata.description, about.labels [inference]Iterate through log field inferences, then
if the index value is equal to 0 then, inferences log field is mapped to the metadata.description UDM field.
server_name (string)network.tls.client.server_name
client_info (string)network.http.user_agent
duration (number - interval)network.session_duration
orig_bytes (integer - count)network.sent_bytes
resp_bytes (integer - count)network.received_bytes
orig_cc (string)principal.location.country_or_region
orig_region (string)principal.location.country_or_region
orig_city (string)principal.location.city
resp_cc (string)target.location.country_or_region
resp_region (string)target.location.country_or_region
resp_city (string)target.location.city
subject (string)network.tls.client.certificate.subject
issuer (string)network.tls.client.certificate.issuer
ja3 (string)network.tls.client.ja3
ja3s (string)network.tls.server.ja3s
- -
-

Field mapping reference: CORELIGHT - x509, x509_red

- -The following table lists the log fields of the x509, x509_red log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fingerprint (string)about.domain.last_https_certificate.thumbprint
certificate.version (integer - count)about.domain.last_https_certificate.version
certificate.serial (string)about.domain.last_https_certificate.serial_number
certificate.subject (string)about.domain.last_https_certificate.subject
certificate.issuer (string)about.domain.last_https_certificate.issuerIf certificate.issuer log field value matches the grok pattern CN=%{GREEDYDATA:common_name},OU=%{GREEDYDATA:organizational_unit},O=%{GREEDYDATA:organization},C=%{DATA:country}$ then the extracted common_name, organizational_unit, organization and country fields are mapped to about.domain.last_https_certificate.issuer.common_name, about.domain.last_https_certificate.issuer.organizational_unit, about.domain.last_https_certificate.issuer.organization, and about.domain.last_https_certificate.issuer.country_name UDM fields respectively.
certificate.not_valid_before (time)about.domain.last_https_certificate.validity.issue_time
certificate.not_valid_after (time)about.domain.last_https_certificate.validity.expiry_time
certificate.key_alg (string)about.labels [public_key_algorithm]
certificate.sig_alg (string)about.domain.last_https_certificate.signature_algorithm
certificate.key_type (string)about.domain.last_https_certificate.public_key.algorithm
certificate.key_length (integer - count)about.domain.last_https_certificate.public_key.rsa.key_size
certificate.exponent (string)about.domain.last_https_certificate.public_key.rsa.exponent
certificate.curve (string)about.domain.last_https_certificate.ec.oid
san.dns (array[string] - vector of string)about.domain.last_https_certificate.extension.subject_alternative_name
san.uri (array[string] - vector of string)about.url
san.email (array[string] - vector of string)about.labels [san_email]
san.ip (array[string] - vector of addr)about.ip
basic_constraints.ca (boolean - bool)about.domain.last_https_certificate.extension.ca
basic_constraints.path_len (integer - count)about.labels [basic_constraints_path_len]
host_cert (boolean - bool)about.labels [host_cert]
client_cert (boolean - bool)about.labels [client_cert]
- -
-

Field mapping reference: CORELIGHT - unknown-smartpcap

- -The following table lists the log fields of the unknown-smartpcap log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Smartpcap.
tid (string)about.labels [tid]
pkts (integer - count)about.labels [pkts]
url (string)security_result.url_back_to_product
- -
-

Field mapping reference: CORELIGHT - mysql

- -The following table lists the log fields of the mysql log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
cmd (string)target.resource.attribute.labels [cmd]
arg (string)principal.process.command_line
success (boolean - bool)target.resource.attribute.labels [success]
rows (integer - count)target.resource.attribute.labels [rows]
response (string)target.resource.attribute.labels [response]
target.resource.resource_typeThe target.resource.resource_type UDM field is set to DATABASE.
- -
-

Field mapping reference: CORELIGHT - napatech_shunting

- -The following table lists the log fields of the napatech_shunting log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
peer (string)about.labels [peer]
terminated_flows (integer - count)about.labels [terminated_flows]
shunted_flows (integer - count)security_result.detection_fields [shunted_flows]
- -
-

Field mapping reference: CORELIGHT - ntlm

- -The following table lists the log fields of the ntlm log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
username (string)target.user.userid
hostname (string)principal.hostname
domainname (string)principal.domain.name
server_nb_computer_name (string)target.hostname
server_dns_computer_name (string)target.domain.name
server_tree_name (string)target.labels [server_tree_name]
success (boolean - bool)extensions.auth.auth_detailsIf the success log field value is equal to true, then the extensions.auth.auth_details UDM field is set to Authentication successful.

Else, the extensions.auth.auth_details UDM field is set to Authentication failed.
- -
-

Field mapping reference: CORELIGHT - pe

- -The following table lists the log fields of the pe log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
id (string)about.labels [id]
machine (string)target.labels [machine]
compile_ts (time)target.file.pe_file.section
os (string)target.platformIf the os log field value is equal to windows, then the target.platform UDM field is set to WINDOWS.

Else, if is equal to linux, then the target.platform UDM field is set to LINUX.

Else, if the os log field value is equal to mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.
subsystem (string)target.application
is_exe (boolean - bool)about.file.file_typeIf the is_exe log field value is equal to true, then the about.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
is_64bit (boolean - bool)about.labels [is_64bit]
uses_aslr (boolean - bool)about.labels [uses_aslr]
uses_dep (boolean - bool)about.labels [uses_dep]
uses_code_integrity (boolean - bool)about.labels [uses_code_integrity]
uses_seh (boolean - bool)about.labels [uses_seh ]
has_import_table (boolean - bool)about.labels [has_import_table]
has_export_table (boolean - bool)about.labels [has_export_table]
has_cert_table (boolean - bool)about.labels [has_cert_table]
has_debug_data (boolean - bool)about.labels [has_debug_data]
section_names (array[string] - vector of string)target.file.pe_file.sectionIterate through log field section_names, then
section_names log field is mapped to the target.file.pe_file.section UDM field.
- -
-

Field mapping reference: CORELIGHT - ntp

- -The following table lists the log fields of the ntp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to NTP.
network.ip_protocolThe network.ip_protocol UDM field is set to UDP.
version (integer - count)network.application_protocol_version
mode (integer - count)about.labels [mode]
stratum (integer - count)about.labels [stratum]
poll (number - interval)about.labels [poll]
precision (number - interval)about.labels [precision]
root_delay (number - interval)about.labels [root_delay]
root_disp (number - interval)about.labels [root_disp]
ref_id (string)target.ipIf the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field. -

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_id (string)target.labels [ref_id]If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field. -

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_time (time)about.labels [ref_time]
org_time (time)about.labels [org_time]
rec_time (time)about.labels [rec_time]
xmt_time (time)about.labels [rec_time]
num_exts (integer - count)about.labels [num_exts]
- -
-

Field mapping reference: CORELIGHT - radius

- -The following table lists the log fields of the radius log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
username (string)target.user.userid
mac (string)principal.mac
framed_addr (string - addr)intermediary.ip
tunnel_client (string)intermediary.ipIf the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
tunnel_client (string)intermediary.domain.nameIf the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
connect_info (string)about.labels [connect_info]
reply_msg (string)extensions.auth.auth_details
result (string)security_result.actionIf the result log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, the security_result.action UDM field is set to FAIL.
ttl (number - interval)network.session_duration
- -
-

Field mapping reference: CORELIGHT - reporter

- -The following table lists the log fields of the reporter log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
level (string - enum)security_result.severityIf the level log field value is equal to CRITICAL or ERROR or HIGH or INFORMATIONAL or LOW or MEDIUM, then the level log field is mapped to the security_result.severity UDM field.
level (string - enum)security_result.severity_details
message (string)security_result.description
location (string)about.labels [location]
- -
-

Field mapping reference: CORELIGHT - log4shell

- -The following table lists the log fields of the log4shell log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_HOST.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
extensions.vulns.vulnerabilities.cve_idThe extensions.vulns.vulnerabilities.cve_id UDM field is set to CVE-2021-44228.
http_uri (string)about.labels [http_uri]
uri (string)target.url
stem (string)target.labels [stem]
target_host (string)target.hostname
target_port (string)target.port
method (string)network.http.method
is_orig (boolean - bool)about.labels [is_orig]
name (string)about.labels.key
value (string)about.labels.value
matched_name (boolean - bool)about.labels [matched_name]
matched_value (boolean - bool)about.labels [matched_value]
- -
-

Field mapping reference: CORELIGHT - modbus

- -The following table lists the log fields of the modbus log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MODBUS.
func (string)about.labels [func]
exception (string)security_result.description
- -
-

Field mapping reference: CORELIGHT - mqtt_connect

- -The following table lists the log fields of the mqtt_connect log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
proto_name (string)about.labels [proto_name]
proto_version (string)network.application_protocol_version
client_id (string)principal.labels [client_id]
connect_status (string)security_result.description
will_topic (string)target.resource.name
will_payload (string)about.labels [will_payload]
- -
-

Field mapping reference: CORELIGHT - mqtt_publish

- -The following table lists the log fields of the mqtt_publish log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
from_client (boolean - bool)about.labels [from_client]
retain (boolean - bool)target.labels [retain]
qos (string)about.labels [qos]
status (string)security_result.description
topic (string)target.resource.name
payload (string)about.labels [payload]
payload_len (integer - count)about.labels [payload_len]
- -
-

Field mapping reference: CORELIGHT - mqtt_subscribe

- -The following table lists the log fields of the mqtt_subscribe log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
action (string - enum)security_result.action_details
topics (array[string] - vector of string)target.resource.nameIterate through log field topics, then
if the index value is equal to 0 then, topics log field is mapped to the target.resource.name UDM field.
Else, the about.labels.key UDM field is set to topics and %{topics} log field is mapped to the about.labels.value UDM field.
qos_levels (array[integer] - vector of count)about.labels [qos_levels]
granted_qos_level (integer - count)about.labels [granted_qos_level]
ack (boolean - bool)security_result.action, security_result.detection_fields [ack]If the ack log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, if the ack log field value is equal to false then, the security_result.action UDM field is set to BLOCK.
Else, the security_result.detection_fields.key UDM field is set to ack and ack log field is mapped to the security_result.detection_fields.value UDM field.
- -
-

Field mapping reference: CORELIGHT - dpd

- -The following table lists the log fields of the dpd log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
analyzer (string)about.labels [analyzer]
failure_reason (string)about.labels [failure_reason]
- -
-

Field mapping reference: CORELIGHT - encrypted_dns

- -The following table lists the log fields of the encrypted_dns log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
resp_h (string - addr)target.ip
cert.cn (string)about.labels [cert_cn]
cert.sans (array[string] - set[string])about.labels [cert_sans]
sni (string)network.tls.client.server_name
match (string)about.labels [match]
- -
-

Field mapping reference: CORELIGHT - enip

- -The following table lists the log fields of the enip log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
command (string)principal.process.command_line
length (integer - count)about.labels [length]
session_handle (string)network.session_id
status (string)about.labels [status]
sender_context (string)about.labels [sender_context]
options (string)about.labels [options]
- -
-

Field mapping reference: CORELIGHT - enip_debug

- -The following table lists the log fields of the enip_debug log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
raw_data (string)about.labels [raw_data]
- -
-

Field mapping reference: CORELIGHT - enip_list_identity

- -The following table lists the log fields of the enip_list_identity log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
device_type (string)target.asset.attribute.labels [device_type]
vendor (string)target.asset.hardware.manufacturer
product_name (string)target.asset.attribute.labels [product_name]
serial_number (string)target.asset.asset_idThe target.asset.asset_id UDM field is set with serial_number log fields as "CORELIGHT: serial_number".
product_code (integer - count)target.asset.attribute.labels [product_code]
revision (number - double)target.asset.attribute.labels [revision]
status (string)about.labels [status]
state (string)target.asset.attribute.labels [state]
device_ip (string - addr)target.asset.ip
- -
-

Field mapping reference: CORELIGHT - etc_viz

- -The following table lists the log fields of the etc_viz log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
server_a (string - addr)target.ip
server_p (integer - port)target.port
service (array[string] - set[string])target.applicationThe service log field is mapped to target.application UDM field when index value in service is equal to 0. -

For every other index value, target.labels.key UDM field is set to service and service log field is mapped to the target.labels.value.
viz_stat (string)about.labels [viz_stat]
c2s_viz.size (integer - count)network.sent_bytes
c2s_viz.enc_dev (number - double)about.labels [c2s_viz_enc_dev]
c2s_viz.enc_frac (number - double)about.labels [c2s_viz_enc_frac]
c2s_viz.pdu1_enc (boolean - bool)about.labels [c2s_viz_pdu1_enc]
c2s_viz.clr_frac (number - double)about.labels [c2s_viz_clr_frac]
c2s_viz.clr_ex (string)about.labels [c2s_viz_clr_ex]
s2c_viz.size (integer - count)network.received_bytes
s2c_viz.enc_dev (number - double)about.labels [s2c_viz_enc_dev]
s2c_viz.enc_frac (number - double)about.labels [s2c_viz_enc_frac]
s2c_viz.pdu1_enc (boolean - bool)about.labels [s2c_viz_pdu1_enc]
s2c_viz.clr_frac (number - double)about.labels [s2c_viz_clr_frac]
s2c_viz.clr_ex (string)about.labels [s2c_viz_clr_ex]
- -
-

Field mapping reference: CORELIGHT - ftp

- -The following table lists the log fields of the ftp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_FTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
user (string)principal.user.user_display_name
password (string)extensions.auth.auth_details
command (string), arg (string)network.ftp.commandThe network.ftp.command UDM field is set with command, arg log fields as "command arg".
mime_type (string)target.file.mime_type
file_size (integer - count)target.file.size
reply_code (integer - count)about.labels [reply_code]
reply_msg (string)about.labels [reply_msg]
data_channel.passive (boolean - bool)about.labels [data_channel_passive]
data_channel.orig_h (string - addr)principal.ip
data_channel.resp_h (string - addr)target.ip
data_channel.resp_p (integer - port)target.labels [data_channel_resp_p]
fuid (string)about.labels [fuid]
- -
-

Field mapping reference: CORELIGHT - generic_dns_tunnels

- -The following table lists the log fields of the generic_dns_tunnels log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
dns_client (string - addr)principal.ip
domain (string)network.dns_domain
domain (string)network.dns.questions.name
bytes (integer - int)about.labels [bytes]
capture_secs (number - interval)network.session_duration
- -
-

Field mapping reference: CORELIGHT - generic_icmp_tunnels

- -The following table lists the log fields of the generic_icmp_tunnels log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.ip_protocolThe network.ip_protocol UDM field is set to ICMP.
detection (string)security_result.detection_fields [detection]
orig (string - addr)principal.ip
resp (string - addr)target.ip
id (integer - count)about.labels [id]
seq (integer - count)about.labels [seq]
bytes (integer - count)about.labels [bytes]
payload_len (integer - count)about.labels [payload_len]
payload (string)about.labels [payload]
- -
-

Field mapping reference: CORELIGHT - icmp_specific_tunnels

- -The following table lists the log fields of the icmp_specific_tunnels log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.ip_protocolThe network.ip_protocol UDM field is set to ICMP.
start_time (time)about.labels [start_time]
duration (number - interval)network.session_duration
tunnel (string)intermediary.labels [tunnel]
seq (integer - count)about.labels [seq]
icmp_id (integer - count)about.labels [icmp_id]
payload (string)about.labels [payload]
- -
-

Field mapping reference: CORELIGHT - ipsec

- -The following table lists the log fields of the ipsec log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
initiator_spi (string)principal.labels [initiator_spi]
responder_spi (string)target.labels [responder_spi]
maj_ver (integer - count)about.labels [maj_ver]
min_ver (integer - count)about.labels [min_ver]
exchange_type (integer - count)about.labels [exchange_type]
flag_e (boolean - bool)about.labels [flag_e]
flag_c (boolean - bool)about.labels [flag_c]
flag_a (boolean - bool)about.labels [flag_a]
flag_i (boolean - bool)about.labels [flag_i]
flag_v (boolean - bool)about.labels [flag_v]
flag_r (boolean - bool)about.labels [flag_r]
message_id (integer - count)about.labels [message_id]
vendor_ids (array[string] - vector of string)about.labels [vendor_id]
notify_messages (array[string] - vector of string)about.labels [notify_message]
transforms (array[string] - vector of string)about.labels [transform]
ke_dh_groups (array[integer] - vector of count)about.labels [ke_dh_group]
proposals (array[integer] - vector of count)about.labels [proposal]
protocol_id (integer - count)about.labels [protocol_id]
certificates (array[string] - vector of string)about.labels [certificate]
transform_attributes (array[string] - vector of string)about.labels [transform_attribute]
length (integer - count)about.labels [length]
hash (string)about.labels [hash]
doi (integer - count)about.labels [doi]
situation (string)about.labels [situation]
- -
-

Field mapping reference: CORELIGHT - profinet

- -The following table lists the log fields of the profinet log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
operation_type (string)about.labels [operation_type]
block_version (string)about.labels [block_version]
slot_number (integer - count)about.labels [slot_number]
subslot_number (integer - count)about.labels [subslot_number]
index (string)about.labels [index]
- -
-

Field mapping reference: CORELIGHT - profinet_dce_rpc

- -The following table lists the log fields of the profinet_dce_rpc log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DCERPC.
version (integer - count)about.labels [version]
packet_type (integer - count)about.labels [packet_type]
object_uuid (string)about.labels [object_uuid]
interface_uuid (string)about.labels [interface_uuid]
activity_uuid (string)about.labels [activity_uuid]
server_boot_time (integer - count)about.labels [server_boot_time]
operation (string)about.labels [operation]
- -
-

Field mapping reference: CORELIGHT - profinet_debug

- -The following table lists the log fields of the profinet_debug log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
raw_data (string)about.labels [raw_data]
- -
-

Field mapping reference: CORELIGHT - rfb

- -The following table lists the log fields of the rfb log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
client_major_version (string)principal.labels [client_major_version]
client_minor_version (string)principal.labels [client_minor_version]
server_major_version (string)target.labels [server_major_version]
server_minor_version (string)target.labels [server_minor_version]
authentication_method (string)extension.auth.mechanismIf the authentication_method log field value is equal to VNC, then the extension.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
authentication_method (string)extension.auth.auth_details
auth (boolean - bool)security_result.actionIf the auth log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
share_flag (boolean - bool)about.labels [share_flag]
desktop_name (string)principal.labels [desktop_name]
width (integer - count)principal.labels [width]
height (integer - count)principal.labels [height]
- -
-

Field mapping reference: CORELIGHT - known_certs

- -The following table lists the log fields of the known_certs log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
entity.resource.resource_subtypeThe entity.resource.resource_subtype UDM field is set to CERTIFICATE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
hash (string)entity.resource.attribute.labels [hash]
port (integer - port)entity.port
protocol (string - enum)entity.labels [protocol]
serial (string)entity.resource.attribute.labels [serial]
subject (string)entity.resource.attribute.labels [subject]
issuer_subject (string)entity.resource.attribute.labels [issuer_subject]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_devices

- -The following table lists the log fields of the known_devices log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
ts (time)entity.asset.first_seen_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.asset.ip
mac (string)entity.asset.mac
vendor_mac (string)entity.asset.hardware.manufacturer
protocols (array[string] - set[string])entity.network.application_protocol
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_domains

- -The following table lists the log fields of the known_domains log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to DOMAIN_NAME.
ts (time)metadata.interval.start_time
ts (time)entity.domain.first_seen_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
domain (string)entity.domain.name
protocols (array[string] - set[string])entity.network.application_protocol
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_hosts

- -The following table lists the log fields of the known_hosts log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
conns_opened (integer - count)metadata.threat.detection_fields [conns_opened]
conns_closed (integer - count)metadata.threat.detection_fields [conns_closed]
conns_pending (integer - count)metadata.threat.detection_fields [conns_pending]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_names

- -The following table lists the log fields of the known_names log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
hostname (string)entity.hostname
protocols (array[string] - set[string])entity.labels [protocol]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_remotes

- -The following table lists the log fields of the known_remotes log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
- -
-

Field mapping reference: CORELIGHT - known_services

- -The following table lists the log fields of the known_services log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
port (integer - port)entity.port
protocol (string - enum)entity.network.application_protocol
service (array[string] - vector of string)entity.labels [service]
software (array[string] - set[string])entity.asset.software.name
app (array[string] - set[string])entity.applicationThe app log field is mapped to entity.application UDM field when index value in app is equal to 0. -

For every other index value, entity.labels.key UDM field is set to app and app log field is mapped to the entity.labels.value.
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - known_users

- -The following table lists the log fields of the known_users log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
remote_ip (string - addr)entity.ip
user (string)entity.user.user_display_name
protocol (string)entity.labels [protocol]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
- -
-

Field mapping reference: CORELIGHT - s7comm

- -The following table lists the log fields of the s7comm log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
rosctr (string)about.labels [rosctr]
parameter (array[string] - vector of string)about.labels [parameter]
item_count (integer - count)about.labels [item_count]
data_info (array[string] - vector of string)about.labels [data_info]
- -
-

Field mapping reference: CORELIGHT - smartpcap

- -The following table lists the log fields of the smartpcap log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Smartpcap.
logstr (string)metadata.description
- -
-

Field mapping reference: CORELIGHT - snmp

- -The following table lists the log fields of the snmp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
duration (number - interval)network.session_duration
version (string)network.application_protocol_version
community (string)about.labels [community]
get_requests (integer - count)about.labels [get_requests]
get_bulk_requests (integer - count)about.labels [get_bulk_requests]
get_responses (integer - count)about.labels [get_responses]
set_requests (integer - count)about.labels [set_requests]
display_string (string)about.labels [display_string]
up_since (time)target.asset.last_boot_time
- -
-

Field mapping reference: CORELIGHT - socks

- -The following table lists the log fields of the socks log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
version (integer - count)network.application_protocol_version
user (string)principal.user.userid
password (string)extensions.auth.auth_details
status (string)about.labels [status]
request.host (string - addr)target.ip
request.name (string)target.hostname
request_p (integer - port)target.labels [request_p]
bound.host (string - addr)intermediary.ip
bound.name (string)intermediary.hostname
bound_p (integer - port)intermediary.port
- -
-

Field mapping reference: CORELIGHT - software

- -The following table lists the log fields of the software log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
host (string - addr)target.asset.ip
host_p (integer - port)target.port
software_type (string - enum)target.asset.software.description
name (string)target.asset.software.name
version.major (integer - count)target.asset.software.version
version.minor (integer - count)target.asset.attribute.labels [version_minor]
version.minor2 (integer - count)target.asset.attribute.labels [version_minor2]
version.minor3 (integer - count)target.asset.attribute.labels [version_minor3]
version.addl (string)target.asset.attribute.labels [version_addl]
unparsed_version (string)target.asset.attribute.labels [unparsed_version]
- -
-

Field mapping reference: CORELIGHT - specific_dns_tunnels

- -The following table lists the log fields of the specific_dns_tunnels log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
trans_id (integer - count)network.dns.id
dns_client (string - addr)principal.ip
resolver (string - addr)target.ip
query (string)network.dns.questions.name
program (string - enum)principal.application
session_id (integer - count)network.session_id
detection (string)security_result.description
sods_id (integer - count)about.labels [sods_id]
- -
-

Field mapping reference: CORELIGHT - stepping

- -The following table lists the log fields of the stepping log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
dt (number - interval)about.labels [dt]
uid1 (string)about.labels [uid1]
uid2 (string)about.labels [uid2]
direct (boolean - bool)about.labels [direct]
client1_h (string - addr)principal.ip
client1_p (integer - port)principal.port
server1_h (string - addr)intermediary.ip
server1_p (integer - port)intermediary.port
client2_h (string - addr)intermediary.ip
client2_p (integer - port)intermediary.port
server2_h (string - addr)target.ip
server2_p (integer - port)target.port
- -
-

Field mapping reference: CORELIGHT - stun

- -The following table lists the log fields of the stun log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
proto (string - enum)network.ip_protocol
is_orig (boolean - bool)about.labels [is_orig]
trans_id (string)network.session_id
method (string)about.labels [method]
class (string)about.labels [class]
attr_types (array[string] - vector of string)about.labels.key
attr_vals (array[string] - vector of string)about.labels.value
- -
-

Field mapping reference: CORELIGHT - stun_nat

- -The following table lists the log fields of the stun_nat log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
proto (string - enum)network.ip_protocol
is_orig (boolean - bool)about.labels [is_orig]
wan_addrs (array[string] - vector of addr)principal.nat_ip
wan_ports (array[integer] - vector of count)principal.nat_portThe wan_ports log field is mapped to principal.nat_port UDM field when index value in wan_ports is equal to 0.

For every other index value, principal.labels.key UDM field is set to wan_port and wan_ports log field is mapped to the principal.labels.value. -
lan_addrs (array[string] - vector of addr)principal.ip
- -
-

Field mapping reference: CORELIGHT - suricata_stats

- -The following table lists the log fields of the suricata_stats log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Suricata.
raw_mgmtabout.labels [raw_mgmt]
timestamp(time)metadata.event_timestamp
event_type(string)about.labels [event_type]
stats.uptime(integer)about.labels [stats_uptime]
stats.napa_total.pkts(integer)about.labels [stats_napa_total_pkts]
stats.napa_total.byte(integer)about.labels [stats_napa_total_byte]
stats.napa_total.overflow_drop_pkts(integer)about.labels [stats_napa_total_overflow_drop_pkts]
stats.napa_total.overflow_drop_byte(integer)about.labels [stats_napa_total_overflow_drop_byte]
stats.napa_dispatch_host.pkts(integer)about.labels [stats_napa_dispatch_host_pkts]
stats.napa_dispatch_host.byte(integer)about.labels [stats_napa_dispatch_host_byte]
stats.napa_dispatch_drop.pkts(integer)about.labels [stats_napa_dispatch_drop_pkts]
stats.napa_dispatch_drop.byte(integer)about.labels [stats_napa_dispatch_drop_byte]
stats.decoder.pkts(integer)about.labels [stats_decoder_pkts]
stats.decoder.bytes(integer)about.labels [stats_decoder_bytes]
stats.decoder.invalid(integer)about.labels [stats_decoder_invalid]
stats.decoder.ipv4(integer)about.labels [stats_decoder_ipv4]
stats.decoder.ipv6(integer)about.labels [stats_decoder_ipv6]
stats.decoder.ethernet(integer)about.labels [stats_decoder_ethernet]
stats.decoder.chdlc(integer)about.labels [stats_decoder_chdlc]
stats.decoder.raw(integer)about.labels [stats_decoder_raw]
stats.decoder.null(integer)about.labels [stats_decoder_null]
stats.decoder.sll(integer)about.labels [stats_decoder_sll]
stats.decoder.tcp(integer)about.labels [stats_decoder_tcp]
stats.decoder.udp(integer)about.labels [stats_decoder_udp]
stats.decoder.sctp(integer)about.labels [stats_decoder_sctp]
stats.decoder.icmpv4(integer)about.labels [stats_decoder_icmpv4]
stats.decoder.icmpv6(integer)about.labels [stats_decoder_icmpv6]
stats.decoder.ppp(integer)about.labels [stats_decoder_ppp]
stats.decoder.pppoe(integer)about.labels [stats_decoder_pppoe]
stats.decoder.geneve(integer)about.labels [stats_decoder_geneve]
stats.decoder.gre(integer)about.labels [stats_decoder_gre]
stats.decoder.vlan(integer)about.labels [stats_decoder_vlan]
stats.decoder.vlan_qinq(integer)about.labels [stats_decoder_vlan_qinq]
stats.decoder.vxlan(integer)about.labels [stats_decoder_vxlan]
stats.decoder.vntag(integer)about.labels [stats_decoder_vntag]
stats.decoder.ieee8021ah(integer)about.labels [stats_decoder_ieee8021ah]
stats.decoder.teredo(integer)about.labels [stats_decoder_teredo]
stats.decoder.ipv4_in_ipv6(integer)about.labels [stats_decoder_ipv4_in_ipv6]
stats.decoder.ipv6_in_ipv6(integer)about.labels [stats_decoder_ipv6_in_ipv6]
stats.decoder.mpls(integer)about.labels [stats_decoder_mpls]
stats.decoder.avg_pkt_size(integer)about.labels [stats_decoder_avg_pkt_size]
stats.decoder.max_pkt_size(integer)about.labels [stats_decoder_max_pkt_size]
stats.decoder.max_mac_addrs_src(integer)about.labels [stats_decoder_max_mac_addrs_src]
stats.decoder.max_mac_addrs_dst(integer)about.labels [stats_decoder_max_mac_addrs_dst]
stats.decoder.erspan(integer)about.labels [stats_decoder_erspan]
stats.decoder.event.ipv4.pkt_too_small(integer)about.labels [stats_decoder_event_ipv4_pkt_too_small]
stats.decoder.event.ipv4.hlen_too_small(integer)about.labels [stats_decoder_event_ipv4_hlen_too_small]
stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer)about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]
stats.decoder.event.ipv4.trunc_pkt(integer)about.labels [stats_decoder_event_ipv4_trunc_pkt]
stats.decoder.event.ipv4.opt_invalid(integer)about.labels [stats_decoder_event_ipv4_opt_invalid]
stats.decoder.event.ipv4.opt_invalid_len(integer)about.labels [stats_decoder_event_ipv4_opt_invalid_len]
stats.decoder.event.ipv4.opt_malformed(integer)about.labels [stats_decoder_event_ipv4_opt_malformed]
stats.decoder.event.ipv4.opt_pad_required(integer)about.labels [stats_decoder_event_ipv4_opt_pad_required]
stats.decoder.event.ipv4.opt_eol_required(integer)about.labels [stats_decoder_event_ipv4_opt_eol_required]
stats.decoder.event.ipv4.opt_duplicate(integer)about.labels [stats_decoder_event_ipv4_opt_duplicate]
stats.decoder.event.ipv4.opt_unknown(integer)about.labels [stats_decoder_event_ipv4_opt_unknown]
stats.decoder.event.ipv4.wrong_ip_version(integer)about.labels [stats_decoder_event_ipv4_wrong_ip_version]
stats.decoder.event.ipv4.icmpv6(integer)about.labels [stats_decoder_event_ipv4_icmpv6]
stats.decoder.event.ipv4.frag_pkt_too_large(integer)about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]
stats.decoder.event.ipv4.frag_overlap(integer)about.labels [stats_decoder_event_ipv4_frag_overlap]
stats.decoder.event.ipv4.frag_ignored(integer)about.labels [stats_decoder_event_ipv4_frag_ignored]
stats.decoder.event.icmpv4.pkt_too_small(integer)about.labels [stats_decoder_event_icmpv4_pkt_too_small]
stats.decoder.event.icmpv4.unknown_type(integer)about.labels [stats_decoder_event_icmpv4_unknown_type]
stats.decoder.event.icmpv4.unknown_code(integer)about.labels [stats_decoder_event_icmpv4_unknown_code]
stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer)about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]
stats.decoder.event.icmpv4.ipv4_unknown_ver(integer)about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]
stats.decoder.event.icmpv6.unknown_type(integer)about.labels [stats_decoder_event_icmpv6_unknown_type]
stats.decoder.event.icmpv6.unknown_code(integer)about.labels [stats_decoder_event_icmpv6_unknown_code]
stats.decoder.event.icmpv6.pkt_too_small(integer)about.labels [stats_decoder_event_icmpv6_pkt_too_small]
stats.decoder.event.icmpv6.ipv6_unknown_version(integer)about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]
stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer)about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]
stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer)about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]
stats.decoder.event.icmpv6.unassigned_type(integer)about.labels [stats_decoder_event_icmpv6_unassigned_type]
stats.decoder.event.icmpv6.experimentation_type(integer)about.labels [stats_decoder_event_icmpv6_experimentation_type]
stats.decoder.event.ipv6.pkt_too_small(integer)about.labels [stats_decoder_event_ipv6_pkt_too_small]
stats.decoder.event.ipv6.trunc_pkt(integer)about.labels [stats_decoder_event_ipv6_trunc_pkt]
stats.decoder.event.ipv6.trunc_exthdr(integer)about.labels [stats_decoder_event_ipv6_trunc_exthdr]
stats.decoder.event.ipv6.exthdr_dupl_fh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]
stats.decoder.event.ipv6.exthdr_useless_fh(integer)about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]
stats.decoder.event.ipv6.exthdr_dupl_rh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]
stats.decoder.event.ipv6.exthdr_dupl_hh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]
stats.decoder.event.ipv6.exthdr_dupl_dh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]
stats.decoder.event.ipv6.exthdr_dupl_ah(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]
stats.decoder.event.ipv6.exthdr_dupl_eh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]
stats.decoder.event.ipv6.exthdr_invalid_optlen(integer)about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]
stats.decoder.event.ipv6.wrong_ip_version(integer)about.labels [stats_decoder_event_ipv6_wrong_ip_version]
stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer)about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]
stats.decoder.event.ipv6.hopopts_unknown_opt(integer)about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]
stats.decoder.event.ipv6.hopopts_only_padding(integer)about.labels [stats_decoder_event_ipv6_hopopts_only_padding]
stats.decoder.event.ipv6.dstopts_unknown_opt(integer)about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]
stats.decoder.event.ipv6.dstopts_only_padding(integer)about.labels [stats_decoder_event_ipv6_dstopts_only_padding]
stats.decoder.event.ipv6.rh_type_0(integer)about.labels [stats_decoder_event_ipv6_rh_type_0]
stats.decoder.event.ipv6.zero_len_padn(integer)about.labels [stats_decoder_event_ipv6_zero_len_padn]
stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer)about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]
stats.decoder.event.ipv6.data_after_none_header(integer)about.labels [stats_decoder_event_ipv6_data_after_none_header]
stats.decoder.event.ipv6.unknown_next_header(integer)about.labels [stats_decoder_event_ipv6_unknown_next_header]
stats.decoder.event.ipv6.icmpv4(integer)about.labels [stats_decoder_event_ipv6_icmpv4]
stats.decoder.event.ipv6.frag_pkt_too_large(integer)about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]
stats.decoder.event.ipv6.frag_overlap(integer)about.labels [stats_decoder_event_ipv6_frag_overlap]
stats.decoder.event.ipv6.frag_invalid_length(integer)about.labels [stats_decoder_event_ipv6_frag_invalid_length]
stats.decoder.event.ipv6.frag_ignored(integer)about.labels [stats_decoder_event_ipv6_frag_ignored]
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer)about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer)about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer)about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer)about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]
stats.decoder.event.tcp.pkt_too_small(integer)about.labels [stats_decoder_event_tcp_pkt_too_small]
stats.decoder.event.tcp.hlen_too_small(integer)about.labels [stats_decoder_event_tcp_hlen_too_small]
stats.decoder.event.tcp.invalid_optlen(integer)about.labels [stats_decoder_event_tcp_invalid_optlen]
stats.decoder.event.tcp.opt_invalid_len(integer)about.labels [stats_decoder_event_tcp_opt_invalid_len]
stats.decoder.event.tcp.opt_duplicate(integer)about.labels [stats_decoder_event_tcp_opt_duplicate]
stats.decoder.event.udp.pkt_too_small(integer)about.labels [stats_decoder_event_udp_pkt_too_small]
stats.decoder.event.udp.hlen_too_small(integer)about.labels [stats_decoder_event_udp_hlen_too_small]
stats.decoder.event.udp.hlen_invalid(integer)about.labels [stats_decoder_event_udp_hlen_invalid]
stats.decoder.event.udp.len_invalid(integer)about.labels [stats_decoder_event_udp_len_invalid]
stats.decoder.event.sll.pkt_too_small(integer)about.labels [stats_decoder_event_sll_pkt_too_small]
stats.decoder.event.ethernet.pkt_too_small(integer)about.labels [stats_decoder_event_ethernet_pkt_too_small]
stats.decoder.event.ppp.pkt_too_small(integer)about.labels [stats_decoder_event_ppp_pkt_too_small]
stats.decoder.event.ppp.vju_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_vju_pkt_too_small]
stats.decoder.event.ppp.ip4_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]
stats.decoder.event.ppp.ip6_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]
stats.decoder.event.ppp.wrong_type(integer)about.labels [stats_decoder_event_ppp_wrong_type]
stats.decoder.event.ppp.unsup_proto(integer)about.labels [stats_decoder_event_ppp_unsup_proto]
stats.decoder.event.pppoe.pkt_too_small(integer)about.labels [stats_decoder_event_pppoe_pkt_too_small]
stats.decoder.event.pppoe.wrong_code(integer)about.labels [stats_decoder_event_pppoe_wrong_code]
stats.decoder.event.pppoe.malformed_tags(integer)about.labels [stats_decoder_event_pppoe_malformed_tags]
stats.decoder.event.gre.pkt_too_small(integer)about.labels [stats_decoder_event_gre_pkt_too_small]
stats.decoder.event.gre.wrong_version(integer)about.labels [stats_decoder_event_gre_wrong_version]
stats.decoder.event.gre.version0_recur(integer)about.labels [stats_decoder_event_gre_version0_recur]
stats.decoder.event.gre.version0_flags(integer)about.labels [stats_decoder_event_gre_version0_flags]
stats.decoder.event.gre.version0_hdr_too_big(integer)about.labels [stats_decoder_event_gre_version0_hdr_too_big]
stats.decoder.event.gre.version0_malformed_sre_hdr(integer)about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]
stats.decoder.event.gre.version1_chksum(integer)about.labels [stats_decoder_event_gre_version1_chksum]
stats.decoder.event.gre.version1_route(integer)about.labels [stats_decoder_event_gre_version1_route]
stats.decoder.event.gre.version1_ssr(integer)about.labels [stats_decoder_event_gre_version1_ssr]
stats.decoder.event.gre.version1_recur(integer)about.labels [stats_decoder_event_gre_version1_recur]
stats.decoder.event.gre.version1_flags(integer)about.labels [stats_decoder_event_gre_version1_flags]
stats.decoder.event.gre.version1_no_key(integer)about.labels [stats_decoder_event_gre_version1_no_key]
stats.decoder.event.gre.version1_wrong_protocol(integer)about.labels [stats_decoder_event_gre_version1_wrong_protocol]
stats.decoder.event.gre.version1_malformed_sre_hdr(integer)about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]
stats.decoder.event.gre.version1_hdr_too_big(integer)about.labels [stats_decoder_event_gre_version1_hdr_too_big]
stats.decoder.event.vlan.header_too_small(integer)about.labels [stats_decoder_event_vlan_header_too_small]
stats.decoder.event.vlan.unknown_type(integer)about.labels [stats_decoder_event_vlan_unknown_type]
stats.decoder.event.vlan.too_many_layers(integer)about.labels [stats_decoder_event_vlan_too_many_layers]
stats.decoder.event.ieee8021ah.header_too_small(integer)about.labels [stats_decoder_event_ieee8021ah_header_too_small]
stats.decoder.event.vntag.header_too_small(integer)about.labels [stats_decoder_event_vntag_header_too_small]
stats.decoder.event.vntag.unknown_type(integer)about.labels [stats_decoder_event_vntag_unknown_type]
stats.decoder.event.ipraw.invalid_ip_version(integer)about.labels [stats_decoder_event_ipraw_invalid_ip_version]
stats.decoder.event.ltnull.pkt_too_small(integer)about.labels [stats_decoder_event_ltnull_pkt_too_small]
stats.decoder.event.ltnull.unsupported_type(integer)about.labels [stats_decoder_event_ltnull_unsupported_type]
stats.decoder.event.sctp.pkt_too_small(integer)about.labels [stats_decoder_event_sctp_pkt_too_small]
stats.decoder.event.mpls.header_too_small(integer)about.labels [stats_decoder_event_mpls_header_too_small]
stats.decoder.event.mpls.pkt_too_small(integer)about.labels [stats_decoder_event_mpls_pkt_too_small]
stats.decoder.event.mpls.bad_label_router_alert(integer)about.labels [stats_decoder_event_mpls_bad_label_router_alert]
stats.decoder.event.mpls.bad_label_implicit_null(integer)about.labels [stats_decoder_event_mpls_bad_label_implicit_null]
stats.decoder.event.mpls.bad_label_reserved(integer)about.labels [stats_decoder_event_mpls_bad_label_reserved]
stats.decoder.event.mpls.unknown_payload_type(integer)about.labels [stats_decoder_event_mpls_unknown_payload_type]
stats.decoder.event.vxlan.unknown_payload_type(integer)about.labels [stats_decoder_event_vxlan_unknown_payload_type]
stats.decoder.event.geneve.unknown_payload_type(integer)about.labels [stats_decoder_event_geneve_unknown_payload_type]
stats.decoder.event.erspan.header_too_small(integer)about.labels [stats_decoder_event_erspan_header_too_small]
stats.decoder.event.erspan.unsupported_version(integer)about.labels [stats_decoder_event_erspan_unsupported_version]
stats.decoder.event.erspan.too_many_vlan_layers(integer)about.labels [stats_decoder_event_erspan_too_many_vlan_layers]
stats.decoder.event.dce.pkt_too_small(integer)about.labels [stats_decoder_event_dce_pkt_too_small]
stats.decoder.event.chdlc.pkt_too_small(integer)about.labels [stats_decoder_event_chdlc_pkt_too_small]
stats.decoder.too_many_layers(integer)about.labels [stats_decoder_too_many_layers]
stats.flow.memcap(integer)about.labels [stats_flow_memcap]
stats.flow.tcp(integer)about.labels [stats_flow_tcp]
stats.flow.udp(integer)about.labels [stats_flow_udp]
stats.flow.icmpv4(integer)about.labels [stats_flow_icmpv4]
stats.flow.icmpv6(integer)about.labels [stats_flow_icmpv6]
stats.flow.tcp_reuse(integer)about.labels [stats_flow_tcp_reuse]
stats.flow.get_used(integer)about.labels [stats_flow_get_used]
stats.flow.get_used_eval(integer)about.labels [stats_flow_get_used_eval]
stats.flow.get_used_eval_reject(integer)about.labels [stats_flow_get_used_eval_reject]
stats.flow.get_used_eval_busy(integer)about.labels [stats_flow_get_used_eval_busy]
stats.flow.get_used_failed(integer)about.labels [stats_flow_get_used_failed]
stats.flow.wrk.spare_sync_avg(integer)about.labels [stats_flow_wrk_spare_sync_avg]
stats.flow.wrk.spare_sync(integer)about.labels [stats_flow_wrk_spare_sync]
stats.flow.wrk.spare_sync_incomplete(integer)about.labels [stats_flow_wrk_spare_sync_incomplete]
stats.flow.wrk.spare_sync_empty(integer)about.labels [stats_flow_wrk_spare_sync_empty]
stats.flow.wrk.flows_evicted_needs_work(integer)about.labels [stats_flow_wrk_flows_evicted_needs_work]
stats.flow.wrk.flows_evicted_pkt_inject(integer)about.labels [stats_flow_wrk_flows_evicted_pkt_inject]
stats.flow.wrk.flows_evicted(integer)about.labels [stats_flow_wrk_flows_evicted]
stats.flow.wrk.flows_injected(integer)about.labels [stats_flow_wrk_flows_injected]
stats.flow.mgr.full_hash_pass(integer)about.labels [stats_flow_mgr_full_hash_pass]
stats.flow.mgr.closed_pruned(integer)about.labels [stats_flow_mgr_closed_pruned]
stats.flow.mgr.new_pruned(integer)about.labels [stats_flow_mgr_new_pruned]
stats.flow.mgr.est_pruned(integer)about.labels [stats_flow_mgr_est_pruned]
stats.flow.mgr.bypassed_pruned(integer)about.labels [stats_flow_mgr_bypassed_pruned]
stats.flow.mgr.rows_maxlen(integer)about.labels [stats_flow_mgr_rows_maxlen]
stats.flow.mgr.flows_checked(integer)about.labels [stats_flow_mgr_flows_checked]
stats.flow.mgr.flows_notimeout(integer)about.labels [stats_flow_mgr_flows_notimeout]
stats.flow.mgr.flows_timeout(integer)about.labels [stats_flow_mgr_flows_timeout]
stats.flow.mgr.flows_timeout_inuse(integer)about.labels [stats_flow_mgr_flows_timeout_inuse]
stats.flow.mgr.flows_evicted(integer)about.labels [stats_flow_mgr_flows_evicted]
stats.flow.mgr.flows_evicted_needs_work(integer)about.labels [stats_flow_mgr_flows_evicted_needs_work]
stats.flow.spare(integer)about.labels [stats_flow_spare]
stats.flow.emerg_mode_entered(integer)about.labels [stats_flow_emerg_mode_entered]
stats.flow.emerg_mode_over(integer)about.labels [stats_flow_emerg_mode_over]
stats.flow.memuse(integer)about.labels [stats_flow_memuse]
stats.defrag.ipv4.fragments(integer)about.labels [stats_defrag_ipv4_fragments]
stats.defrag.ipv4.reassembled(integer)about.labels [stats_defrag_ipv4_reassembled]
stats.defrag.ipv4.timeouts(integer)about.labels [stats_defrag_ipv4_timeouts]
stats.defrag.ipv6.fragments(integer)about.labels [stats_defrag_ipv6_fragments]
stats.defrag.ipv6.reassembled(integer)about.labels [stats_defrag_ipv6_reassembled]
stats.defrag.ipv6.timeouts(integer)about.labels [stats_defrag_ipv6_timeouts]
stats.defrag.max_frag_hits(integer)about.labels [stats_defrag_max_frag_hits]
stats.flow_bypassed.local_pkts(integer)about.labels [stats_flow_bypassed_local_pkts]
stats.flow_bypassed.local_bytes(integer)about.labels [stats_flow_bypassed_local_bytes]
stats.flow_bypassed.local_capture_pkts(integer)about.labels [stats_flow_bypassed_local_capture_pkts]
stats.flow_bypassed.local_capture_bytes(integer)about.labels [stats_flow_bypassed_local_capture_bytes]
stats.flow_bypassed.closed(integer)about.labels [stats_flow_bypassed_closed]
stats.flow_bypassed.pkts(integer)about.labels [stats_flow_bypassed_pkts]
stats.flow_bypassed.bytes(integer)about.labels [stats_flow_bypassed_bytes]
stats.tcp.sessions(integer)about.labels [stats_tcp_sessions]
stats.tcp.ssn_memcap_drop(integer)about.labels [stats_tcp_ssn_memcap_drop]
stats.tcp.pseudo(integer)about.labels [stats_tcp_pseudo]
stats.tcp.pseudo_failed(integer)about.labels [stats_tcp_pseudo_failed]
stats.tcp.invalid_checksum(integer)about.labels [stats_tcp_invalid_checksum]
stats.tcp.no_flow(integer)about.labels [stats_tcp_no_flow]
stats.tcp.syn(integer)about.labels [stats_tcp_syn]
stats.tcp.synack(integer)about.labels [stats_tcp_synack]
stats.tcp.rst(integer)about.labels [stats_tcp_rst]
stats.tcp.midstream_pickups(integer)about.labels [stats_tcp_midstream_pickups]
stats.tcp.pkt_on_wrong_thread(integer)about.labels [stats_tcp_pkt_on_wrong_thread]
stats.tcp.segment_memcap_drop(integer)about.labels [stats_tcp_segment_memcap_drop]
stats.tcp.stream_depth_reached(integer)about.labels [stats_tcp_stream_depth_reached]
stats.tcp.reassembly_gap(integer)about.labels [stats_tcp_reassembly_gap]
stats.tcp.overlap(integer)about.labels [stats_tcp_overlap]
stats.tcp.overlap_diff_data(integer)about.labels [stats_tcp_overlap_diff_data]
stats.tcp.insert_data_normal_fail(integer)about.labels [stats_tcp_insert_data_normal_fail]
stats.tcp.insert_data_overlap_fail(integer)about.labels [stats_tcp_insert_data_overlap_fail]
stats.tcp.insert_list_fail(integer)about.labels [stats_tcp_insert_list_fail]
stats.tcp.memuse(integer)about.labels [stats_tcp_memuse]
stats.tcp.reassembly_memuse(integer)about.labels [stats_tcp_reassembly_memuse]
stats.detect.engines.id(array)about.labels [stats_detect_engines_id]
stats.detect.engines.last_reload(array)about.labels [stats_detect_engines_last_reload]
stats.detect.engines.rules_loaded(array)about.labels [stats_detect_engines_rules_loaded]
stats.detect.engines.rules_failed(array)about.labels [stats_detect_engines_rules_failed]
stats.detect.alert(integer)about.labels [stats_detect_alert]
stats.detect.alert_queue_overflow(integer)about.labels [stats_detect_alert_queue_overflow]
stats.detect.alerts_suppressed(integer)about.labels [stats_detect_alerts_suppressed]
stats.app_layer.flow.http(integer)about.labels [stats_app_layer_flow_http]
stats.app_layer.flow.ftp(integer)about.labels [stats_app_layer_flow_ftp]
stats.app_layer.flow.smtp(integer)about.labels [stats_app_layer_flow_smtp]
stats.app_layer.flow.tls(integer)about.labels [stats_app_layer_flow_tls]
stats.app_layer.flow.ssh(integer)about.labels [stats_app_layer_flow_ssh]
stats.app_layer.flow.imap(integer)about.labels [stats_app_layer_flow_imap]
stats.app_layer.flow.smb(integer)about.labels [stats_app_layer_flow_smb]
stats.app_layer.flow.dcerpc_tcp(integer)about.labels [stats_app_layer_flow_dcerpc_tcp]
stats.app_layer.flow.dns_tcp(integer)about.labels [stats_app_layer_flow_dns_tcp]
stats.app_layer.flow.nfs_tcp(integer)about.labels [stats_app_layer_flow_nfs_tcp]
stats.app_layer.flow.ntp(integer)about.labels [stats_app_layer_flow_ntp]
stats.app_layer.flow.ftp-data(integer)about.labels [stats_app_layer_flow_ftp-data]
stats.app_layer.flow.tftp(integer)about.labels [stats_app_layer_flow_tftp]
stats.app_layer.flow.ikev2(integer)about.labels [stats_app_layer_flow_ikev2]
stats.app_layer.flow.krb5_tcp(integer)about.labels [stats_app_layer_flow_krb5_tcp]
stats.app_layer.flow.dhcp(integer)about.labels [stats_app_layer_flow_dhcp]
stats.app_layer.flow.rfb(integer)about.labels [stats_app_layer_flow_rfb]
stats.app_layer.flow.rdp(integer)about.labels [stats_app_layer_flow_rdp]
stats.app_layer.flow.failed_tcp(integer)about.labels [stats_app_layer_flow_failed_tcp]
stats.app_layer.flow.dcerpc_udp(integer)about.labels [stats_app_layer_flow_dcerpc_udp]
stats.app_layer.flow.dns_udp(integer)about.labels [stats_app_layer_flow_dns_udp]
stats.app_layer.flow.nfs_udp(integer)about.labels [stats_app_layer_flow_nfs_udp]
stats.app_layer.flow.krb5_udp(integer)about.labels [stats_app_layer_flow_krb5_udp]
stats.app_layer.flow.failed_udp(integer)about.labels [stats_app_layer_flow_failed_udp]
stats.app_layer.tx.http(integer)about.labels [stats_app_layer_tx_http]
stats.app_layer.tx.ftp(integer)about.labels [stats_app_layer_tx_ftp]
stats.app_layer.tx.smtp(integer)about.labels [stats_app_layer_tx_smtp]
stats.app_layer.tx.tls(integer)about.labels [stats_app_layer_tx_tls]
stats.app_layer.tx.ssh(integer)about.labels [stats_app_layer_tx_ssh]
stats.app_layer.tx.imap(integer)about.labels [stats_app_layer_tx_imap]
stats.app_layer.tx.smb(integer)about.labels [stats_app_layer_tx_smb]
stats.app_layer.tx.dcerpc_tcp(integer)about.labels [stats_app_layer_tx_dcerpc_tcp]
stats.app_layer.tx.dns_tcp(integer)about.labels [stats_app_layer_tx_dns_tcp]
stats.app_layer.tx.nfs_tcp(integer)about.labels [stats_app_layer_tx_nfs_tcp]
stats.app_layer.tx.ntp(integer)about.labels [stats_app_layer_tx_ntp]
stats.app_layer.tx.ftp-data(integer)about.labels [stats_app_layer_tx_ftp-data]
stats.app_layer.tx.tftp(integer)about.labels [stats_app_layer_tx_tftp]
stats.app_layer.tx.ikev2(integer)about.labels [stats_app_layer_tx_ikev2]
stats.app_layer.tx.krb5_tcp(integer)about.labels [stats_app_layer_tx_krb5_tcp]
stats.app_layer.tx.dhcp(integer)about.labels [stats_app_layer_tx_dhcp]
stats.app_layer.tx.rfb(integer)about.labels [stats_app_layer_tx_rfb]
stats.app_layer.tx.rdp(integer)about.labels [stats_app_layer_tx_rdp]
stats.app_layer.tx.dcerpc_udp(integer)about.labels [stats_app_layer_tx_dcerpc_udp]
stats.app_layer.tx.dns_udp(integer)about.labels [stats_app_layer_tx_dns_udp]
stats.app_layer.tx.nfs_udp(integer)about.labels [stats_app_layer_tx_nfs_udp]
stats.app_layer.tx.krb5_udp(integer)about.labels [stats_app_layer_tx_krb5_udp]
stats.app_layer.expectations(integer)about.labels [stats_app_layer_expectations]
stats.http.memuse(integer)about.labels [stats_http_memuse]
stats.http.memcap(integer)about.labels [stats_http_memcap]
stats.ftp.memuse(integer)about.labels [stats_ftp_memuse]
stats.ftp.memcap(integer)about.labels [stats_ftp_memcap]
- -
-

Field mapping reference: CORELIGHT - logschema

- -The following table lists the log fields of the logschema log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
name(string)about.labels [name]
text(string)about.labels [text]
schema(string)about.labels [schema]
avro(string)about.labels [avro]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_bro

- -The following table lists the log fields of the corelight_metrics_bro log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
logs.conn.entries.per-second (integer)about.labels [logs_conn_entries_per_second]
logs.dce_rpc.entries.per-second (integer)about.labels [logs_dce_rpc_entries_per_second]
logs.dhcp.entries.per-second (integer)about.labels [logs_dhcp_entries_per_second]
logs.dnp3.entries.per-second (integer)about.labels [logs_dnp3_entries_per_second]
logs.dns.entries.per-second (integer)about.labels [logs_dns_entries_per_second]
logs.dpd.entries.per-second (integer)about.labels [logs_dpd_entries_per_second]
logs.files.entries.per-second (integer)about.labels [logs_files_entries_per_second]
logs.ftp.entries.per-second (integer)about.labels [logs_ftp_entries_per_second]
logs.http.entries.per-second (integer)about.labels [logs_http_entries_per_second]
logs.irc.entries.per-second (integer)about.labels [logs_irc_entries_per_second]
logs.kerberos.entries.per-second (integer)about.labels [logs_kerberos_entries_per_second]
logs.modbus.entries.per-second (integer)about.labels [logs_modbus_entries_per_second]
logs.mysql.entries.per-second (integer)about.labels [logs_mysql_entries_per_second]
logs.ntlm.entries.per-second (integer)about.labels [logs_ntlm_entries_per_second]
logs.pe.entries.per-second (integer)about.labels [logs_pe_entries_per_second]
logs.radius.entries.per-second (integer)about.labels [logs_radius_entries_per_second]
logs.rdp.entries.per-second (integer)about.labels [logs_rdp_entries_per_second]
logs.rfb.entries.per-second (integer)about.labels [logs_rfb_entries_per_second]
logs.sip.entries.per-second (integer)about.labels [logs_sip_entries_per_second]
logs.smb_files.entries.per-second (integer)about.labels [logs_smb_files_entries_per_second]
logs.smb_mapping.entries.per-second (integer)about.labels [logs_smb_mapping_entries_per_second]
logs.smtp.entries.per-second (integer)about.labels [logs_smtp_entries_per_second]
logs.snmp.entries.per-second (integer)about.labels [logs_snmp_entries_per_second]
logs.socks.entries.per-second (integer)about.labels [logs_socks_entries_per_second]
logs.software.entries.per-second (integer)about.labels [logs_software_entries_per_second]
logs.ssh.entries.per-second (integer)about.labels [logs_ssh_entries_per_second]
logs.ssl.entries.per-second (integer)about.labels [logs_ssl_entries_per_second]
logs.syslog.entries.per-second (integer)about.labels [logs_syslog_entries_per_second]
logs.traceroute.entries.per-second (integer)about.labels [logs_traceroute_entries_per_second]
logs.tunnel.entries.per-second (integer)about.labels [logs_tunnel_entries_per_second]
logs.weird.entries.per-second (integer)about.labels [logs_weird_entries_per_second]
logs.x509.entries.per-second (integer)about.labels [logs_x509_entries_per_second]
files.per-minute (integer)about.labels [files_per_minute]
files.queued.s3 (integer)about.labels [files_queued_s3]
files.queued.sftp (integer)about.labels [files_queued_sftp]
files.total (integer)about.labels [files_total]
logs.splunk_export.lag (integer)about.labels [logs_splunk_export_lag]
logs.syslog_export.lag (integer)about.labels [logs_syslog_export_lag]
logs.json_export.lag (integer)about.labels [logs_json_export_lag]
logs.kafka_export.lag (integer)about.labels [logs_kafka_export_lag]
logs.investigator_export.lag (integer)about.labels [logs_investigator_export_lag]
logs.kinesis_export.lag (integer)about.labels [logs_kinesis_export_lag]
logs.hec_export.lag (integer)about.labels [logs_hec_export_lag]
logs.elasticsearch_export.lag (integer)about.labels [logs_elasticsearch_export_lag]
cpu (integer)about.labels [cpu]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_iface

- -The following table lists the log fields of the corelight_metrics_iface log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
monitor.total.kpps (integer)about.labels [monitor_total_kpps]
monitor.total.drops.kpps (integer)about.labels [monitor_total_drops_kpps]
monitor.total.mbps (integer)about.labels [monitor_total_mbps]
mgmt.in.bytes.mbps (integer)about.labels [mgmt_in_bytes_mbps]
mgmt.out.bytes.mbps (integer)about.labels [mgmt_out_bytes_mbps]
mgmt.in.packets.kpps (integer)about.labels [mgmt_in_packets_kpps]
mgmt.out.packets.kpps (integer)about.labels [mgmt_out_packets_kpps]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_system

- -The following table lists the log fields of the corelight_metrics_system log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
cpu.1.temprature (integer)about.labels [cpu_1_temprature]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_memory

- -The following table lists the log fields of the corelight_metrics_memory log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage (integer)about.labels [usage]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_disk

- -The following table lists the log fields of the corelight_metrics_disk log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage.data (integer)about.labels [usage_data]
usage.os (integer)about.labels [usage_os]
- -
- -

Field mapping reference: CORELIGHT - corelight_metrics_zeek_doctor

- -The following table lists the log fields of the corelight_metrics_zeek_doctor log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
check.bursty.percent (integer)about.labels [check_bursty_percent]
check.dns_half_duplex_orig.percent (integer)about.labels [check_dns_half_duplex_orig_percent]
check.dns_half_duplex_resp.percent (integer)about.labels [check_dns_half_duplex_resp_percent]
check.local_to_local.percent (integer)about.labels [check_local_to_local_percent]
check.remote_to_remote.percent (integer)about.labels [check_remote_to_remote_percent]
check.tcp_backscatter.percent (integer)about.labels [check_tcp_backscatter_percent]
check.tcp_byte_counts_wrong.percent (integer)about.labels [check_tcp_byte_counts_wrong_percent]
check.tcp_half_duplex.percent (integer)about.labels [check_tcp_half_duplex_percent]
check.tcp_missed_bytes.percent (integer)about.labels [check_tcp_missed_bytes_percent]
check.tcp_no_ssl_on_443.percent (integer)about.labels [check_tcp_no_ssl_on_443_percent]
check.tcp_no_three_way_handshake.percent (integer)about.labels [check_tcp_no_three_way_handshake_percent]
check.tcp_retransmissions.percent (integer)about.labels [check_tcp_retransmissions_percent]
check.tcp_scan.percent (integer)about.labels [check_tcp_scan_percent]
- -
-

Field mapping reference: CORELIGHT - analyzer

- -The following table lists the log fields of the analyzer log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
cause (string)metadata.description
analyzer_kind (string)additional.fields[analyzer_kind]
analyzer_name (string)additional.fields[analyzer_name]
fuid (string)additional.fields[fuid]
failure_reason (string)security_result.summary
failure_data (string)security_result.description
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
- -
-

Field mapping reference: CORELIGHT - anomaly

- -The following table lists the log fields of the anomaly log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
use_case (string)security_result.rule_name
use_case_description (string)security_result.description
entity (string)additional.fields[entity]
original_entity (string)additional.fields[original_entity]
entity_training_items (array[string] - vector of string)additional.fields[entity_training_item]Iterate through log field entity_training_items, then
entity_training_item_%{index} log field is mapped to the additional.fields.key UDM field and entity_training_item log field is mapped to the additional.fields.value UDM field.
item (string)security_result.detection_fields[item]
item_score (number - double)security_result.detection_fields[item_score]
item_assoc_entities (array[string] - vector of string)security_result.detection_fields[item_assoc_entities]Iterate through log field item_assoc_entities, then
item_assoc_entities_%{index} log field is mapped to the security_result.detection_fields.key UDM field and item_assoc_entities log field is mapped to the security_result.detection_fields.value UDM field.
item_assoc_entities_similarity (array[number] - vector of double)security_result.detection_fields[item_assoc_entities_similarity]Iterate through log field item_assoc_entities_similarity, then
item_assoc_entities_similarity_%{index} log field is mapped to the security_result.detection_fields.key UDM field and item_assoc_entities_similarity log field is mapped to the security_result.detection_fields.value UDM field.
ignorable (boolean - bool)security_result.detection_fields[ignorable]
history_days (integer - count)security_result.detection_fields[history_days]
history (number - interval)security_result.detection_fields[history]
nn1_entities (array[string] - vector of string)additional.fields[nn1_entities]Iterate through log field nn1_entities, then
nn1_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn1_entities log field is mapped to the additional.fields.value UDM field.
nn1_entity_similarity (number - double)additional.fields[nn1_entity_similarity]
nn1_train_items (array[string] - vector of string)additional.fields[nn1_train_item]Iterate through log field nn1_train_items, then
nn1_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn1_train_items log field is mapped to the additional.fields.value UDM field.
nn1_pred_items (array[string] - set[string])additional.fields[nn1_pred_item]Iterate through log field nn1_pred_items, then
nn1_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn1_pred_items log field is mapped to the additional.fields.value UDM field.
nn2_entities (array[string] - vector of string)additional.fields[nn2_entities]Iterate through log field nn2_entities, then
nn2_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn2_entities log field is mapped to the additional.fields.value UDM field.
nn2_entity_similarity (number - double)additional.fields[nn2_entity_similarity]
nn2_train_items (array[string] - vector of string)additional.fields[nn2_train_item]Iterate through log field nn2_train_items, then
nn2_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn2_train_items log field is mapped to the additional.fields.value UDM field.
nn2_pred_items (array[string] - set[string])additional.fields[nn2_pred_item]Iterate through log field nn2_pred_items, then
nn2_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn2_pred_items log field is mapped to the additional.fields.value UDM field.
nn3_entities (array[string] - vector of string)additional.fields[nn3_entities]Iterate through log field nn3_entities, then
nn3_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn3_entities log field is mapped to the additional.fields.value UDM field.
nn3_entity_similarity (number - double)additional.fields[nn3_entity_similarity]
nn3_train_items (array[string] - vector of string)additional.fields[nn3_train_item]Iterate through log field nn3_train_items, then
nn3_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn3_train_items log field is mapped to the additional.fields.value UDM field.
nn3_pred_items (array[string] - set[string])additional.fields[nn3_pred_item]Iterate through log field nn3_pred_items, then
nn3_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn3_pred_items log field is mapped to the additional.fields.value UDM field.
nn4_entities (array[string] - vector of string)additional.fields[nn4_entities]Iterate through log field nn4_entities, then
nn4_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn4_entities log field is mapped to the additional.fields.value UDM field.
nn4_entity_similarity (number - double)additional.fields[nn4_entity_similarity]
nn4_train_items (array[string] - vector of string)additional.fields[nn4_train_item]Iterate through log field nn4_train_items, then
nn4_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn4_train_items log field is mapped to the additional.fields.value UDM field.
nn4_pred_items (array[string] - set[string])additional.fields[nn4_pred_item]Iterate through log field nn4_pred_items, then
nn4_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn4_pred_items log field is mapped to the additional.fields.value UDM field.
nn5_entities (array[string] - vector of string)additional.fields[nn5_entities]Iterate through log field nn5_entities, then
nn5_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn5_entities log field is mapped to the additional.fields.value UDM field.
nn5_entity_similarity (number - double)additional.fields[nn5_entity_similarity]
nn5_train_items (array[string] - vector of string)additional.fields[nn5_train_item]Iterate through log field nn5_train_items, then
nn5_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn5_train_items log field is mapped to the additional.fields.value UDM field.
nn5_pred_items (array[string] - set[string])additional.fields[nn5_pred_item]Iterate through log field nn5_pred_items, then
nn5_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn5_pred_items log field is mapped to the additional.fields.value UDM field.
nn6_entities (array[string] - vector of string)additional.fields[nn6_entities]Iterate through log field nn6_entities, then
nn6_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn6_entities log field is mapped to the additional.fields.value UDM field.
nn6_entity_similarity (number - double)additional.fields[nn6_entity_similarity]
nn6_train_items (array[string] - vector of string)additional.fields[nn6_train_item]Iterate through log field nn6_train_items, then
nn6_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn6_train_items log field is mapped to the additional.fields.value UDM field.
nn6_pred_items (array[string] - set[string])additional.fields[nn6_pred_item]Iterate through log field nn6_pred_items, then
nn6_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn6_pred_items log field is mapped to the additional.fields.value UDM field.
nn7_entities (array[string] - vector of string)additional.fields[nn7_entities]Iterate through log field nn7_entities, then
nn7_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn7_entities log field is mapped to the additional.fields.value UDM field.
nn7_entity_similarity (number - double)additional.fields[nn7_entity_similarity]
nn7_train_items (array[string] - vector of string)additional.fields[nn7_train_item]Iterate through log field nn7_train_items, then
nn7_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn7_train_items log field is mapped to the additional.fields.value UDM field.
nn7_pred_items (array[string] - set[string])additional.fields[nn7_pred_item]Iterate through log field nn7_pred_items, then
nn7_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn7_pred_items log field is mapped to the additional.fields.value UDM field.
nn8_entities (array[string] - vector of string)additional.fields[nn8_entities]Iterate through log field nn8_entities, then
nn8_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn8_entities log field is mapped to the additional.fields.value UDM field.
nn8_entity_similarity (number - double)additional.fields[nn8_entity_similarity]
nn8_train_items (array[string] - vector of string)additional.fields[nn8_train_item]Iterate through log field nn8_train_items, then
nn8_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn8_train_items log field is mapped to the additional.fields.value UDM field.
nn8_pred_items (array[string] - set[string])additional.fields[nn8_pred_item]Iterate through log field nn8_pred_items, then
nn8_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn8_pred_items log field is mapped to the additional.fields.value UDM field.
nn9_entities (array[string] - vector of string)additional.fields[nn9_entities]Iterate through log field nn9_entities, then
nn9_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn9_entities log field is mapped to the additional.fields.value UDM field.
nn9_entity_similarity (number - double)additional.fields[nn9_entity_similarity]
nn9_train_items (array[string] - vector of string)additional.fields[nn9_train_item]Iterate through log field nn9_train_items, then
nn9_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn9_train_items log field is mapped to the additional.fields.value UDM field.
nn9_pred_items (array[string] - set[string])additional.fields[nn9_pred_item]Iterate through log field nn9_pred_items, then
nn9_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn9_pred_items log field is mapped to the additional.fields.value UDM field.
nn10_entities (array[string] - vector of string)additional.fields[nn10_entities]Iterate through log field nn10_entities, then
nn10_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn10_entities log field is mapped to the additional.fields.value UDM field.
nn10_entity_similarity (number - double)additional.fields[nn10_entity_similarity]
nn10_train_items (array[string] - vector of string)additional.fields[nn10_train_item]Iterate through log field nn10_train_items, then
nn10_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn10_train_items log field is mapped to the additional.fields.value UDM field.
nn10_pred_items (array[string] - set[string])additional.fields[nn10_pred_item]Iterate through log field nn10_pred_items, then
nn10_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn10_pred_items log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
- -
-

Field mapping reference: CORELIGHT - ssdp

- -The following table lists the log fields of the ssdp log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
is_orig (boolean - bool)additional.fields[is_orig]
operation (string)additional.fields[operation]
host (string)additional.fields[host]
usn (string)additional.fields[usn]
target (string)about.resource.name
target_sub (string)additional.fields[target_sub]
location (string)target.location.name
user_agent (string)network.http.user_agent
server (string)additional.fields[server]
man (string)additional.fields[man]
mx (string)additional.fields[mx]
cache_control (string)additional.fields[cache_control]
remaining_header_names (array[string] - vector of string)additional.fields[remaining_header_name]Iterate through log field remaining_header_names, then
remaining_header_name_%{index} log field is mapped to the additional.fields.key UDM field and remaining_header_names log field is mapped to the additional.fields.value UDM field.
remaining_header_values (array[string] - vector of string)additional.fields[remaining_header_value]Iterate through log field remaining_header_values, then
remaining_header_value_%{index} log field is mapped to the additional.fields.key UDM field and remaining_header_values log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
- -
-

Field mapping reference: CORELIGHT - telnet

- -The following table lists the log fields of the telnet log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
tn3270 (boolean - bool)additional.fields[tn3270]
tn3270e (boolean - bool)additional.fields[tn3270e]
terminal_type (string)additional.fields[terminal_type]
terminal_speed (string)additional.fields[terminal_speed]
x_display_location (string)additional.fields[x_display_location]
environ_value_names (array[string] - vector of string)additional.fields[environ_value_name]Iterate through log field environ_value_names, then
environ_value_name_%{index} log field is mapped to the additional.fields.key UDM field and environ_value_names log field is mapped to the additional.fields.value UDM field.
environ_value_values (array[string] - vector of string)additional.fields[environ_value_value]Iterate through log field environ_value_values, then
environ_value_value_%{index} log field is mapped to the additional.fields.key UDM field and environ_value_values log field is mapped to the additional.fields.value UDM field.
tn3270e_device_type_request (string)additional.fields[tn3270e_device_type_request]
tn3270e_device_type_request_associate (string)additional.fields[tn3270e_device_type_request_associate]
tn3270e_device_type_request_connect (string)additional.fields[tn3270e_device_type_request_connect]
tn3270e_device_type_is (string)additional.fields[tn3270e_device_type_is]
tn3270e_device_type_is_associate (string)additional.fields[tn3270e_device_type_is_associate]
tn3270e_device_type_is_connect (string)additional.fields[tn3270e_device_type_is_connect]
data (string)additional.fields[data]
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
- -
-

Field mapping reference: CORELIGHT - websocket

- -The following table lists the log fields of the websocket log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
host (string)target.hostname
uri (string)target.url
user_agent (string)network.http.user_agent
subprotocol (string)additional.fields[subprotocol]
client_protocols (array[string] - vector of string)additional.fields[client_protocol]Iterate through log field client_protocols, then
client_protocol_%{index} log field is mapped to the additional.fields.key UDM field and client_protocols log field is mapped to the additional.fields.value UDM field.
server_extensions (array[string] - vector of string)additional.fields[server_extension]Iterate through log field server_extensions, then
server_extension_%{index} log field is mapped to the additional.fields.key UDM field and server_extensions log field is mapped to the additional.fields.value UDM field.
client_extensions (array[string] - vector of string)additional.fields[client_extensions]Iterate through log field client_extensions, then
client_extension_%{index} log field is mapped to the additional.fields.key UDM field and client_extensions log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
- -
-

Field mapping reference: CORELIGHT - first_seen

- -The following table lists the log fields of the first_seen log type and their corresponding UDM fields. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log fieldUDM mappingLogic
use_case (string)security_result.rule_name
use_case_description (string)security_result.description
entity (string)additional.fields[entity]
original_entity (string)additional.fields[original_entity]
entity_training_items (array[string] - vector of string)additional.fields[entity_training_item]Iterate through log field entity_training_items, then
entity_training_item_%{index} log field is mapped to the additional.fields.key UDM field and entity_training_item log field is mapped to the additional.fields.value UDM field.
item (string)security_result.detection_fields[item]
first_seen_type (string - enum AnomalyDetection::AnomalyTypes)security_result.detection_fields[first_seen_type]
history_days (integer - count)security_result.detection_fields[history_days]
history (number - interval)security_result.detection_fields[history]
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
- -
- -

UDM Mapping Delta reference: Corelight

- -The following table lists delta for Default parser of Corelight. - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Log NameLog FieldPrevious UDM MappingUpdated UDM Mapping
uidadditional.fields[uid]network.session_id
cipdirectionadditional.fields[direction]network.direction
cipcip_statusadditional.fields[cip_status]security_result.description
etc_vizc2s_viz.sizeabout.labels [c2s_viz_size]network.sent_bytes
etc_vizs2c_viz.sizeabout.labels [s2c_viz_size]network.received_bytes
generic_dns_tunnelscapture_secsabout.labels [capture_secs]network.session_duration
kerberosrequest_typeprincipal.applicationextensions.auth.auth_details
kerberoserror_msgsecurity_result.action_detailssecurity_result.description
known_devicesprotocolsentity.labels [protocol]entity.network.application_protocol
known_domainsprotocolsentity.labels [protocol]entity.network.application_protocol
known_servicesprotocolentity.labels [protocol]entity.network.application_protocol
ldapresultsecurity_result.detection_fields [result]security_result.action
ldapobjectabout.labels [object]target.resource.name
mqtt_connectwill_topicabout.labels [will_topic]target.resource.name
mqtt_publishtopicabout.labels [topic]target.resource.name
mqtt_subscribetopicsabout.labels [topics]target.resource.name
mqtt_subscribeacksecurity_result.detection_fields [ack]security_result.action
pecompile_tsabout.labels [compile_ts]target.file.pe_file.compilation_time
pesection_namesabout.labels [section_names]target.file.pe_file.section
radiusreply_msgabout.labels [reply_msg]extensions.auth.auth_details
radiusresultextensions.auth.auth_detailssecurity_result.action
rdpcookieabout.labels [cookie]principal.user.userid
rdpclient_buildprincipal.labels [client_build]principal.asset.software.version
rdpclient_dig_product_idprincipal.labels [client_dig_product_id ]principal.asset.product_object_id
rdpauth_successabout.labels [auth_success]security_result.action
smtphelotarget.domain.namenetwork.smtp.helo
smtppathintermediary.ipnetwork.smtp.message_path
smtpuser_agentabout.labels [user_agent]principal.application
snmpup_sinceabout.labels [up_since]target.asset.last_boot_time
socksversionabout.labels [version]network.application_protocol_version
specific_dns_tunnelsdetectionsecurity_result.detection_fields [detection]security_result.description
sshclientprincipal.applicationprincipal.asset.software.version
sshservertarget.applicationtarget.asset.software.version
sshhost_key_algsecurity_result.detection_fields [host_key_alg]network.tls.server.certificate.version
sshhost_keysecurity_result.detection_fields [host_key]network.tls.server.certificate.sha256
sshinferencessecurity_result.summary, security_result.descriptionsecurity_result.summary, security_result.description, security_result.detection_fields
sslvalidation_statussecurity_result.detection_fields [validation_status]security_result.description
ssl_redvalidation_statussecurity_result.detection_fields [validation_status]security_result.description
steppingserver1_htarget.ipintermediary.ip
steppingserver1_ptarget.portintermediary.port
steppingclient2_hprincipal.ipintermediary.ip
steppingclient2_pprincipal.labels [client2_p]intermediary.port
steppingserver2_htarget.labels [server2_h]target.ip
steppingserver2_ptarget.labels [server2_p]target.port
suricata_corelightalert.revsecurity_result.detection_fields [alert_rev]security_result.rule_version
suricata_corelightalert.metadatasecurity_result.detection_fields [alert_metadata]security_result.rule_labels
suricata_corelightmetadatasecurity_result.detection_fields [alert_metadata]security_result.rule_labels
syslogseverityabout.labels [severity]security_result.severity, security_result.severity_details
vpninferencesabout.labels [inference]metadata.description
vpnclient_infoprincipal.labels [client_info]network.http.user_agent
weirdnameabout.labels [name]metadata.product_event_type
weirdaddlabout.labels [addl]metadata.description
weirdpeerabout.labels [peer]observer.hostname
weirdsourceabout.labels [source]metadata.product_name
x509fingerprintabout.labels [fingerprint]about.domain.last_https_certificate.thumbprint
x509certificate.versionnetwork.tls.server.certificate.versionabout.domain.last_https_certificate.version
x509certificate.serialnetwork.tls.server.certificate.serialabout.domain.last_https_certificate.serial_number
x509certificate.subjectnetwork.tls.server.certificate.subjectabout.domain.last_https_certificate.subject.common_name
x509certificate.issuernetwork.tls.server.certificate.issuerabout.domain.last_https_certificate.issuer
x509certificate.not_valid_beforenetwork.tls.server.certificate.not_beforeabout.domain.last_https_certificate.validity.issue_time
x509certificate.not_valid_afternetwork.tls.server.certificate.not_afterabout.domain.last_https_certificate.validity.expiry_time
x509certificate.key_algabout.labels [certificate_key_alg]about.labels [public_key_algorithm]
x509certificate.sig_algabout.labels [certificate_sig_alg]about.domain.last_https_certificate.signature_algorithm
x509certificate.key_typeabout.labels [certificate_key_type]about.domain.last_https_certificate.public_key.algorithm
x509certificate.key_lengthabout.labels [certificate_key_length]about.domain.last_https_certificate.public_key.rsa.key_size
x509certificate.exponentabout.labels [certificate_exponent]about.domain.last_https_certificate.public_key.rsa.exponent
x509certificate.curvenetwork.tls.curveabout.domain.last_https_certificate.ec.oid
x509san.dnsabout.labels [san_dns]about.domain.last_https_certificate.extension.subject_alternative_name
x509basic_constraints.caabout.labels [basic_constraints_ca]about.domain.last_https_certificate.extension.ca
x509_redfingerprintabout.labels [fingerprint]about.domain.last_https_certificate.thumbprint
x509_redcertificate.versionnetwork.tls.server.certificate.versionabout.domain.last_https_certificate.version
x509_redcertificate.serialnetwork.tls.server.certificate.serialabout.domain.last_https_certificate.serial_number
x509_redcertificate.subjectnetwork.tls.server.certificate.subjectabout.domain.last_https_certificate.subject.common_name
x509_redcertificate.issuernetwork.tls.server.certificate.issuerabout.domain.last_https_certificate.issuer
x509_redcertificate.not_valid_beforenetwork.tls.server.certificate.not_beforeabout.domain.last_https_certificate.validity.issue_time
x509_redcertificate.not_valid_afternetwork.tls.server.certificate.not_afterabout.domain.last_https_certificate.validity.expiry_time
x509_redcertificate.key_algabout.labels [certificate_key_alg]about.labels [public_key_algorithm]
x509_redcertificate.sig_algabout.labels [certificate_sig_alg]about.domain.last_https_certificate.signature_algorithm
x509_redcertificate.key_typeabout.labels [certificate_key_type]about.domain.last_https_certificate.public_key.algorithm
x509_redcertificate.key_lengthabout.labels [certificate_key_length]about.domain.last_https_certificate.public_key.rsa.key_size
x509_redcertificate.exponentabout.labels [certificate_exponent]about.domain.last_https_certificate.public_key.rsa.exponent
x509_redcertificate.curvenetwork.tls.curveabout.domain.last_https_certificate.ec.oid
x509_redsan.dnsabout.labels [san_dns]about.domain.last_https_certificate.extension.subject_alternative_name
x509_redbasic_constraints.caabout.labels [basic_constraints_ca]about.domain.last_https_certificate.extension.ca
- -
- -## What's next - -- [Data ingestion to Chronicle ](https://cloud.devsite.corp.google.com/chronicle/docs/data-ingestion-flow) +# Collect Corelight Sensor logs + +This document describes how you can collect Corelight Sensor logs by configuring the Corelight Sensor and a Chronicle forwarder. This document also lists the supported log types and supported Corelight versions. + +For more information, see [Data ingestion to Chronicle](https://cloud.google.com/chronicle/docs/data-ingestion-flow). + +## Before you begin + +* Verify the version of Corelight Sensor. The Corelight Google SecOps parser was designed for version 27.13 and earlier. Later versions of the Corelight Sensor might have additional logs that the parser won't recognize, and those logs might receive limited or no field parsing. However, the log content will still be available in the raw log format in Google SecOps. +* Ensure that all systems in the deployment architecture are configured with the UTC time zone. + + +## Deployment and Log Ingestion Methods + +The following deployment architecture diagram illustrates how a Corelight Sensor is set up to send logs to Google Security Operations using two different ingestion architectures. It's important to note that each customer deployment may vary from this representation and could be more complex. + +An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the `CORELIGHT` ingestion label. + +## Ingesting Logs into Google SecOps using Corelight Exporters + +![Deployment architecture](images/parser-corelight-architecture-without-forwarder.png) + +The architecture diagram shows the following components: + +* **Corelight Sensor**: The system running the [Corelight Sensor ](https://docs.corelight.com/docs/sensor/sensor/quickstarts/quickstart.html). + +* **Corelight Sensor exporters**: The [Corelight Sensor exporter](https://docs.corelight.com/docs/sensor/sensor/export/goosecops_exp.html) collects log data from the Sensor, and forwards it to Google Security Operations. + +* **Google Security Operations**: Google Security Operations retains and analyzes the logs from Corelight Sensor. + +An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the `CORELIGHT` ingestion label. + +### Configure the Google SecOps exporter in Corelight +Use the Sensor or Fleet Manager web interface to configure the Google SecOps exporter. This configuration uses the API credentials from your Google SecOps instance to establish the secure connection. + +1. Log in to the Fleet Manager or Sensor web interface of Corelight Sensor as an administrator. + +2. Navigate to the exporter configuration area: + + * **Fleet Manager**: Navigate to Policies, select a policy, and click the Export tab. + * **Standalone Sensor**: Navigate to Configuration | Export | Export Configuration. + +3. In the Create Exporter section, click **Google SecOps**. + + ![Deployment architecture](images/dynamic-exporter-step-1.png) + +4. Configure the following input parameters: + - **Name***: A unique name for this exporter instance (for example, SecOps). + - **Google SecOps Customer ID***: Your unique customer identifier provided by Google. + - **Google SecOps Namespace**: The logical namespace for your Sensor logs in Google SecOps. + - **Credentials***: The Google SecOps Service Account Credentials (JSON). (Paste the full JSON content). + - **Google SecOps Labels**: User-configured labels to identify the data domain. + - **Region***: The GCP region name used by Google SecOps. + - **Batch Max Events**: The maximum batch size. + - **Batch Timeout Seconds**: The maximum age of a batch. + - **Proxy URL**: The network proxy URL, if required. + - **Exporter Log Filter**: Select a filter to apply to this exporter instance. + - **Log Type Filter**: Include or exclude specific log files by name. + * **Exclude**: Removes specified logs. New log types (for example, from packages) will still be exported. + * **Include**: Exports only the specified logs. New log types will NOT be exported unless manually added. + + + ![Deployment architecture](images/dynamic-exporter-step-2.1.png) + ![Deployment architecture](images/dynamic-exporter-step-2.2.png) + +5. Click **Done**. + + ![Deployment architecture](images/dynamic-exporter-step-3.png) + +6. Click **Apply Changes**. + +## Ingesting Logs into Google SecOps Using a Forwarder + + ![Deployment architecture](images/parser-corelight-architecture.png) + +The architecture diagram shows the following components: + +* **Corelight Sensor**: The system running the [Corelight Sensor ](https://docs.corelight.com/docs/sensor/sensor/quickstarts/quickstart.html). + +* **Corelight Sensor exporter**: The [Corelight Sensor exporter](https://docs.corelight.com/docs/sensor/sensor/export/syslog.html) collects log data from the Sensor, and forwards it to the Google Security Operations forwarder. + +* **Google Security Operations forwarder**: The Google Security Operations forwarder is a lightweight software component, deployed in the customer's network, that supports syslog. The Google Security Operations forwarder forwards the logs to Google Security Operations. + +* **Google Security Operations**: Google Security Operations retains and analyzes the logs from Corelight Sensor. + +## Supported Corelight log types + +The Corelight parser supports the following log types: +
+

Log Type

+
    +
  • asset_classification
    • +
  • conn
    • +
  • conn_long
    • +
  • conn_red
    • +
  • conn_agg
    • +
  • dce_rpc
    • +
  • dns
    • +
  • dns_red
    • +
  • files
    • +
  • files_red
    • +
  • http
    • +
  • http2
    • +
  • http_red
    • +
  • intel
    • +
  • irc
    • +
  • notice
    • +
  • rdp
    • +
  • sip
    • +
  • smb_files
    • +
  • smb_mapping
    • +
  • smtp
    • +
  • smtp_links
    • +
  • ssh
    • +
  • ssl
    • +
  • ssl_red
    • +
  • suricata_corelight
    • +
  • bacnet
    • +
  • cip
    • +
  • corelight_burst
    • +
  • corelight_metrics_bro
    • +
  • corelight_metrics_disk
    • +
  • corelight_metrics_iface
    • +
  • corelight_metrics_memory
    • +
  • corelight_metrics_system
    • +
  • corelight_metrics_zeek_doctor
    • +
  • corelight_overall_capture_loss
    • +
  • corelight_profiling
    • +
  • datared
    • +
  • dga
    • +
  • dhcp
    • +
  • dnp3
    • +
  • dpd
    • +
  • encrypted_dns
    • +
  • enip
    • +
  • enip_debug
    • +
  • enip_list_identity
    • +
  • etc_viz
    • +
  • ftp
    • +
  • generic_dns_tunnels
    • +
  • generic_icmp_tunnels
    • +
  • icmp_specific_tunnels
    • +
  • ipsec
    • +
  • iso_cotp
    • +
  • kerberos
    • +
  • known_certs
    • +
  • known_devices
    • +
  • known_domains
    • +
  • known_hosts
    • +
  • known_names
    • +
  • known_remotes
    • +
  • known_services
    • +
  • known_users
    • +
  • ldap
    • +
  • ldap_search
    • +
  • local_subnets
    • +
  • local_subnets_dj
    • +
  • local_subnets_graphs
    • +
  • log4shell
    • +
  • modbus
    • +
  • mqtt_connect
    • +
  • mqtt_publish
    • +
  • mqtt_subscribe
    • +
  • mysql
    • +
  • napatech_shunting
    • +
  • ntlm
    • +
  • ntp
    • +
  • pe
    • +
  • profinet
    • +
  • profinet_dce_rpc
    • +
  • profinet_debug
    • +
  • radius
    • +
  • reporter
    • +
  • rfb
    • +
  • s7comm
    • +
  • smartpcap
    • +
  • snmp
    • +
  • socks
    • +
  • software
    • +
  • specific_dns_tunnels
    • +
  • stepping
    • +
  • stun
    • +
  • stun_nat
    • +
  • suricata_eve
    • +
  • suricata_stats
    • +
  • syslog
    • +
  • tds
    • +
  • tds_rpc
    • +
  • tds_sql_batch
    • +
  • traceroute
    • +
  • tunnel
    • +
  • unknown-smartpcap
    • +
  • vpn
    • +
  • weird
    • +
  • weird_red
    • +
  • wireguard
    • +
  • x509
    • +
  • x509_red
    • +
  • dns_agg
    • +
  • files_agg
    • +
  • http_agg
    • +
  • ssl_agg
    • +
  • weird_agg
    • +
  • analyzer
    • +
  • anomaly
    • +
  • ssdp
    • +
  • telnet
    • +
  • websocket
    • +
  • first_seen
    • +
+
+ + +## Configure the Google Security forwarder + +To configure the Google Security Operations forwarder, do the following: + +1. Set up a Google Security forwarder. See [Install and configure the forwarder on Linux](https://cloud.google.com/chronicle/docs/install/forwarder-linux). + +2. Configure the Google Security Operations forwarder to send logs to Google Security Operations. + + ```none + collectors: + - syslog: + common: + enabled: true + data_type: CORELIGHT + data_hint: + batch_n_seconds: 10 + batch_n_bytes: 1048576 + tcp_address: + tcp_buffer_size: 524288 + udp_address: + connection_timeout_sec: 60 + ``` + +## Configure the Corelight Sensor exporter + +1. Log into Corelight Sensor as an administrator. +2. Select the **Export** tab. +3. Find and enable **EXPORT TO SYSLOG** option. +4. Under **EXPORT TO SYSLOG**, configure the following fields: + * **SYSLOG SERVER**: Specify the IP address and port of the Google Security Operations forwarder syslog listener. + * Navigate to **Advanced Settings > SYSLOG FORMAT**, and change the setting to **Legacy**. + +![Corelight Sensor Configuration](images/chronicle.jpg) + +5. Click **Apply Changes**. + +## Field mapping reference + +This section explains how the Google Security Operations parser maps Google Security Operations fields to Google Security Operations Unified Data Model (UDM) fields. + +

Field mapping reference: CORELIGHT - Common Fields

+ +The following table lists common fields of the CORELIGHT log and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.vendor_nameThe metadata.vendor_name UDM field is set to Corelight.
_path (string)metadata.product_event_type
_system_name (string)observer.hostname
ts (time)metadata.event_timestamp
uid (string)about.labels [uid], network.session_id
id.orig_h (string - addr)principal.ip
id.orig_p (integer - port)principal.port
id.resp_h (string - addr)target.ip
id.resp_p (integer - port)target.port
_write_tsmetadata.collected_timestamp
id.vlan (integer - int)additional.fields [id_vlan]
id.vlan_inner (integer - int)additional.fields [id_vlan_inner]
id.orig_ep_cid (string)additional.fields [id_orig_ep_cid]
id.orig_ep_source (string)additional.fields [id_orig_ep_source]
id.orig_ep_status (string)additional.fields [id_orig_ep_status]
id.orig_ep_uid (string)additional.fields [id_orig_ep_uid]
id.resp_ep_cid (string)additional.fields [id_resp_ep_cid]
id.resp_ep_source (string)additional.fields [id_resp_ep_source]
id.resp_ep_status (string)additional.fields [id_resp_ep_status]
id.resp_ep_uid (string)additional.fields [id_resp_ep_uid]
uids (array[string] - vector of string)additional.fields [uid]
count (integer - int)additional.fields [count]
ts_lastadditional.fields [ts_last]
+ +
+

Field mapping reference: CORELIGHT - asset_classification

+ +The following table lists the log fields of the asset_classification log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip (string - addr)principal.ip
macprincipal.mac
vendor_mac (string)about.asset.hardware.manufacturer
device_type (string)about.asset.category
os_name (string)about.platform
os_name (string)about.asset.attribute.labels
type_group (string)about.group.group_display_name
type_name (string)about.resource.resource_subtypeThe about.resource.resource_type UDM field is set to DEVICE
brand (string)about.user.company_name
model (string)about.asset.hardware.model
confidence (integer)about.security_result.confidence_score
os_ver (string)about.platform_version
sources (array[string])about.ip_geo_artifact.tags
+ +
+

Field mapping reference: CORELIGHT - conn, conn_red, conn_long, conn_agg

+ +The following table lists the log fields of the conn, conn_red, conn_long, conn_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
service (string)network.application_protocol
duration (number - interval)network.session_duration
orig_bytes (integer - count)network.sent_bytes
resp_bytes (integer - count)network.received_bytes
conn_state (string)metadata.descriptionIf the conn_state log field value is equal to S0, then the metadata.description UDM field is set to S0: Connection attempt seen, no reply.

Else, if the conn_state log field value is equal to S1, then the metadata.description UDM field is set to S1: Connection established, not terminated.

Else, if the conn_state log field value is equal to S2, then the metadata.description UDM field is set to S2: Connection established and close attempt by originator seen (but no reply from responder).

Else, if the conn_state log field value is equal to S3, then the metadata.description UDM field is set to S3: Connection established and close attempt by responder seen (but no reply from originator).

Else, if the conn_state log field value is equal to SF, then the metadata.description UDM field is set to SF: Normal SYN/FIN completion.

Else, if the conn_state log field value is equal to REJ, then the metadata.description UDM field is set to REJ: Connection attempt rejected.

Else, if the conn_state log field value is equal to RSTO, then the metadata.description UDM field is set to RSTO: Connection established, originator aborted (sent a RST).

Else, if the conn_state log field value is equal to RSTOS0, then the metadata.description UDM field is set to RSTOS0: Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

Else, if the conn_state log field value is equal to RSTOSH, then the metadata.description UDM field is set to RSTOSH: Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

Else, if the conn_state log field value is equal to RSTR, then the metadata.description UDM field is set to RSTR: Established, responder aborted.

Else, if the conn_state log field value is equal to SH, then the metadata.description UDM field is set to SH: Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

Else, if the conn_state log field value is equal to SHR, then the metadata.description UDM field is set to SHR: Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

Else, if the conn_state log field value is equal to OTH, then the metadata.description UDM field is set to OTH: No SYN seen, just midstream traffic (a partial connection that was not later closed).
local_orig (boolean - bool)about.labels [local_orig]
local_resp (boolean - bool)about.labels [local_resp]
missed_bytes (integer - count)about.labels [missed_bytes]
history (string)about.labels [history]
orig_pkts (integer - count)network.sent_packets
orig_ip_bytes (integer - count)principal.labels [orig_ip_bytes]
resp_pkts (integer - count)network.received_packets
resp_ip_bytes (integer - count)target.labels [resp_ip_bytes]
tunnel_parents (array[string] - set[string])intermediary.labels [tunnel_parent]
orig_cc (string)principal.ip_geo_artifact.location.country_or_region
resp_cc (string)target.ip_geo_artifact.location.country_or_region
suri_ids (array[string] - set[string])security_result.rule_id
spcap.url (string)security_result.url_back_to_product
spcap.rule (integer - count)security_result.rule_labels [spcap_rule]
spcap.trigger (string)security_result.detection_fields [spcap_trigger]
app (array[string] - vector of string)about.application
corelight_shunted (boolean - bool)about.labels [corelight_shunted]
orig_shunted_pkts (integer - count)principal.labels [orig_shunted_pkts]
orig_shunted_bytes (integer - count)principal.labels [orig_shunted_bytes]
resp_shunted_pkts (integer - count)target.labels [resp_shunted_pkts]
resp_shunted_bytes (integer - count)target.labels [resp_shunted_bytes]
orig_l2_addr (string)principal.mac
resp_l2_addr (string)target.mac
id_orig_h_n.src (string)principal.labels [id_orig_h_n_src]
id_orig_h_n.vals (array[string] - set[string])principal.labels [id_orig_h_n_val]
id_resp_h_n.src (string)target.labels [id_resp_h_n_src]
id_resp_h_n.vals (array[string] - set[string])target.labels [id_resp_h_n_val]
vlan (integer - int)intermediary.labels [vlan]
inner_vlan (integer - int)intermediary.labels [inner_vlan]
community_id (string)network.community_id
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
service (string)about.labels [service]
orig_ep_cid (string)additional.fields [orig_ep_cid]
orig_ep_source (string)additional.fields [orig_ep_source]
orig_ep_status (string)additional.fields [orig_ep_status]
orig_ep_uid (string)additional.fields [orig_ep_uid]
resp_ep_cid (string)additional.fields [resp_ep_cid]
resp_ep_source (string)additional.fields [resp_ep_source]
resp_ep_status (string)additional.fields [resp_ep_status]
resp_ep_uid (string)additional.fields [resp_ep_uid]
id_orig_h_nprincipal.ip
id_resp_h_ntarget.ip
netskope_site_idsadditional.fields[netskope_site_ids]Iterate through log field netskope_site_ids, then
netskope_site_id_%{index} log field is mapped to the additional.fields.key UDM field and netskope_site_id log field is mapped to the additional.fields.value UDM field.
netskope_user_idsadditional.fields[netskope_user_ids]Iterate through log field netskope_user_ids, then
netskope_user_id_%{index} log field is mapped to the additional.fields.key UDM field and netskope_user_id log field is mapped to the additional.fields.value UDM field.
write_tsadditional.fields[write_ts]
spcap.urls (array[string] - vector of string)security_result.url_back_to_productIterate through log field spcap.urls, then
spcap.urls log field is mapped to the security_result.url_back_to_product UDM field.
community_ids (array[string] - vector of string)network.community_idIterate through log field community_ids, then
if index is equal to 0 then, community_id log field is mapped to the network.community_id UDM field.
Else, community_id_%{index} log field is mapped to the additional.fields.key UDM field and community_id log field is mapped to the additional.fields.value UDM field.
capture_metadata.vpc.versionabout.resource.attribute.labels[vpc_version]
capture_metadata.vpc.vpc_idabout.resource.product_object_id
about.resource.resource_typeIf capture_metadata.vpc.vpc_id is present, then about.resource.resource_type UDM field is set to VPC_NETWORK.
capture_sourceabout.resource.attribute.labels[capture_source]
orig_inst.azprincipal.location.name
orig_inst.idprincipal.resource.product_object_id
orig_inst.nameprincipal.resource.name
orig_inst.org_idprincipal.resource.attribute.labels[org_id]
orig_inst.sg_idsprincipal.resource.attribute.labels[sg_id]
orig_inst.subnet_idprincipal.resource.attribute.labels[subnet_id]
orig_inst.vpc_idprincipal.resource.attribute.labels[vpc_id]
principal.resource.resource_typeIf orig_inst.vpc_id is present, then principal.resource.resource_type UDM field is set to VPC_NETWORK.
orig_inst.profileprincipal.resource.attribute.labels[profile]
resp_inst.aztarget.location.name
resp_inst.idtarget.resource.product_object_id
resp_inst.nametarget.resource.name
resp_inst.org_idtarget.resource.attribute.labels[org_id]
resp_inst.sg_idstarget.resource.attribute.labels[sg_id]
resp_inst.subnet_idtarget.resource.attribute.labels[subnet_id]
resp_inst.vpc_idtarget.resource.attribute.labels[vpc_id]
target.resource.resource_typeIf resp_inst.vpc_id is present, then target.resource.resource_type UDM field is set to VPC_NETWORK.
resp_inst.profiletarget.resource.attribute.labels[profile]
local_orig and local_respadditional.fields[direction]If the local_orig log field value is equal to true and local_resp log field value is equal to true, then the additional.fields[direction] UDM field is set to internal.

Else, if the local_orig log field value is equal to true and local_resp log field value is equal to false, then the additional.fields[direction] UDM field is set to outbound.

Else, if the local_orig log field value is equal to false and local_resp log field value is equal to false, then the additional.fields[direction] UDM field is set to external.

Else, if the local_orig log field value is equal to false and local_resp log field value is equal to true, then the additional.fields[direction] UDM field is set to inbound.
+ +
+

Field mapping reference: CORELIGHT - dce_rpc

+ +The following table lists the log fields of the dce_rpc log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
rtt (number - interval)network.session_duration
named_pipe (string)intermediary.resource.name
intermediary.resource.resource_typeIf the named_pipe log field value is not empty, then the intermediary.resource.resource_type UDM field is set to PIPE.
endpoint (string)target.labels [endpoint]
operation (string)target.labels [operation]
network.application_protocolThe network.application_protocol UDM field is set to DCERPC.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
operation, endpoint, named_pipe (string)metadata.descriptionThe metadata.description UDM field is set with operation, endpoint, named_pipe log fields as "operation operation on endpoint using named pipe named_pipe".
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
+ +
+

Field mapping reference: CORELIGHT - dns, dns_red, dns_agg

+ +The following table lists the log fields of the dns, dns_red, dns_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
proto (string - enum)network.ip_protocol
trans_id (integer - count)network.dns.id
rtt (number - interval)network.session_duration
query (string)network.dns.questions.name
qclass (integer - count)network.dns.questions.class
qclass_name (string)about.labels [qclass_name]
qtype (integer - count)network.dns.questions.type
qtype_name (string)about.labels [qtype_name]
rcode (integer - count)network.dns.response_code
rcode (integer - count)network.dns.responseIf the rcode log field value is not empty, then the network.dns.response UDM field is set to true.
rcode_name (string)about.labels [rcode_name]
AA (boolean - bool)network.dns.authoritative
TC (boolean - bool)network.dns.truncated
RD (boolean - bool)network.dns.recursion_desired
RA (boolean - bool)network.dns.recursion_available
Z (integer - count)about.labels [Z]
answers (array[string] - vector of string)network.dns.answers.name
TTLs (array[number] - vector of interval)network.dns.answers.ttl
rejected (boolean - bool)about.labels [rejected]
is_trusted_domain (string)about.labels [is_trusted_domain]
icann_host_subdomain (string)about.labels [icann_host_subdomain]
icann_domain (string)network.dns_domain
icann_tld (string)about.labels [icann_tld]
num (integer - count)security_result.detection_fields [num]
+ +
+

Field mapping reference: CORELIGHT - http, http_red, http2, http_agg

+ +The following table lists the log fields of the http, http_red, http2, http_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_HTTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
trans_depth (integer - count)about.labels [trans_depth]
method (string)network.http.method
host (string)target.hostname
uri (string)target.url
referrer (string)network.http.referral_url
version (string)network.application_protocol_version
user_agent (string)network.http.user_agent
origin (string)principal.hostname
request_body_len (integer - count)network.sent_bytes
response_body_len (integer - count)network.received_bytes
status_code (integer - count)network.http.response_code
status_msg (string)about.labels [status_msg]
info_code (integer - count)about.labels [info_code]
info_msg (string)about.labels [info_msg]
tags (array[string] - set[enum])about.labels [tags]
username (string)principal.user.user_display_name
password (string)extensions.auth.auth_details
proxied (array[string] - set[string])intermediary.hostname
orig_fuids (array[string] - vector of string)about.labels [orig_fuid]
orig_filenames (array[string] - vector of string)src.file.namesThe orig_filenames log field is mapped to src.file.names UDM field when index value in orig_filenames is equal to 0.

For every other index value, orig_filenames log field is mapped to the about.file.names. +
orig_mime_types (array[string] - vector of string)src.file.mime_typeThe orig_mime_types log field is mapped to src.file.mime_type UDM field when index value in orig_mime_types is equal to 0.

For every other index value, orig_mime_types log field is mapped to the about.file.mime_type. +
resp_fuids (array[string] - vector of string)about.labels [resp_fuid]
resp_filenames (array[string] - vector of string)target.file.namesThe resp_filenames log field is mapped to target.file.names UDM field when index value in resp_filenames is equal to 0.

For every other index value, resp_filenames log field is mapped to the about.file.names. +
resp_mime_types (array[string] - vector of string)target.file.mime_typeThe resp_mime_types log field is mapped to target.file.mime_type UDM field when index value in resp_mime_types is equal to 0.

For every other index value, resp_mime_types log field is mapped to the about.file.mime_type. +
post_body (string)about.labels [post_body]
stream_id (integer - count)about.labels [stream_id]
encoding (string)about.labels [encoding]
push (boolean - bool)about.labels [push]
versions (array[float] - vector of float)network.application_protocol_versionIterate through log field versions, then
if index is equal to 0 then, version log field is mapped to the network.application_protocol_version UDM field.
Else, version_%{index} log field is mapped to the additional.fields.key UDM field and version log field is mapped to the additional.fields.value UDM field.
user_agents (array[string] - vector of string)network.http.user_agentIterate through log field user_agents, then
if index is equal to 0 then, user_agent log field is mapped to the network.http.user_agent UDM field.
Else, user_agent_%{index} log field is mapped to the additional.fields.key UDM field and user_agent log field is mapped to the additional.fields.value UDM field.
+ +
+

Field mapping reference: CORELIGHT - smtp_links

+ +The following table lists the log fields of the smtp_links log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMTP.
fuid (string)about.labels [fuid]
link (string)about.url
domain (string)about.domain.name
+ +
+

Field mapping reference: CORELIGHT - irc

+ +The following table lists the log fields of the irc log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
nick (string)principal.user.user_display_name
user (string)principal.user.useridIf the user log field value is less than or equal to 255, then the user log field is mapped to the principal.user.userid UDM field.

Else, the user log field is mapped to the about.labels UDM field.
command, value, addlprincipal.process.command_line
dcc_file_name (string)src.file.names
dcc_file_size (integer - count)src.file.size
dcc_mime_type (string)src.file.mime_type
fuid (string)about.labels [fuid]
+ +
+

Field mapping reference: CORELIGHT - files, files_red, files_agg

+ +The following table lists the log fields of the files, files_red, files_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fuid (string)about.labels [fuid]
tx_hosts (array[string] - set[addr])principal.ip
rx_hosts (array[string] - set[addr])target.ip
conn_uids (array[string] - set[string])about.labels [conn_uid]
source (string)about.labels [source]
depth (integer - count)about.labels [depth]
analyzers (array[string] - set[string])about.labels [analyzer]
mime_type (string)about.file.mime_type
filename (string)about.file.names
duration (number - interval)about.labels [duration]
local_orig (boolean - bool)about.labels [local_orig]
is_orig (boolean - bool)about.labels [is_orig]
seen_bytes (integer - count)about.file.size
total_bytes (integer - count)about.labels [total_bytes]
missing_bytes (integer - count)about.labels [missing_bytes]
overflow_bytes (integer - count)about.labels [overflow_bytes]
timedout (boolean - bool)about.labels [timedout]
parent_fuid (string)about.labels [parent_fuid]
md5 (string)about.file.md5
sha1 (string)about.file.sha1
sha256 (string)about.file.sha256
md5 (string)network.tls.client.certificate.md5If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.md5 UDM field is set to md5.
sha1 (string)network.tls.client.certificate.sha1If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha1 UDM field is set to sha1.
sha256 (string)network.tls.client.certificate.sha256If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-user-cert and the _path log field value is equal to files, then the network.tls.client.certificate.sha256 UDM field is set to sha256.
md5 (string)network.tls.server.certificate.md5If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.md5 UDM field is set to md5.
sha1 (string)network.tls.server.certificate.sha1If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha1 UDM field is set to sha1.
sha256 (string)network.tls.server.certificate.sha256If the source log field value is equal to ssl and the mime_type log field value is equal to application/x-x509-ca-cert and the _path log field value is equal to files, then the network.tls.server.certificate.sha256 UDM field is set to sha256.
extracted (array[string] - set[string])about.file.names
extracted_cutoff (boolean - bool)about.labels [extracted_cutoff]
extracted_size (integer - count)about.labels [extracted_size]
num (integer - count)about.labels [num]
vlan (integer - int)additional.fields [vlan]
vlan_inner (integer - int)additional.fields [vlan_inner]
mime_types (array[string] - vector of string)target.file.mime_typeIterate through log field mime_type, then
if index is equal to 0 then, mime_type log field is mapped to the target.file.mime_type UDM field.
Else, mime_type_%{index} log field is mapped to the additional.fields.key UDM field and mime_type log field is mapped to the additional.fields.value UDM field.
timedouts (array[boolean] - vector of bool)additional.fields[timedouts]Iterate through log field timedouts, then
timedout_%{index} log field is mapped to the additional.fields.key UDM field and timedouts log field is mapped to the additional.fields.value UDM field.
+ +
+

Field mapping reference: CORELIGHT - notice

+ +The following table lists the log fields of the notice log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fuid (string)about.labels [fuid]
file_mime_type (string)target.file.mime_type
file_desc (string)about.labels [file_desc]
proto (string - enum)network.ip_protocol
note (string - enum)security_result.description
msg (string)metadata.description
sub (string)about.labels [sub]
src (string - addr)principal.ip
dst (string - addr)target.ip
p (integer - port)about.port
n (integer - count)about.labels [n]
peer_descr (string)about.labels [peer_descr]
security_result.action The security_result.action UDM field is set to ALLOW.
actions (array[string] - set[enum])security_result.action_details
suppress_for (number - interval)about.labels [suppress_for]
remote_location.country_code (string)about.location.country_or_regionThe about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.region (string)about.location.country_or_regionThe about.location.country_or_region UDM field is set with remote_location.country_code, remote_location.region log fields as "remote_location.country_code: remote_location.region".
remote_location.city (string)about.location.city
remote_location.latitude (number - double)about.location.region_coordinates.latitude
remote_location.longitude (number - double)about.location.region_coordinates.longitude
security_result.severity
If the severity.level log field value contain one of the following values
  • 0
  • 1
then, the security_result.severity UDM field is set to HIGH.
Else, If severity.level log field value is equal to 2 then, the security_result.severity UDM field is set to CRITICAL.
Else, If severity.level log field value is equal to 3 then, the security_result.severity UDM field is set to ERROR.
Else, If severity.level log field value contain one of the following values
  • 4
  • 5
  • 6
then, the security_result.severity UDM field is set to INFORMATIONAL.
Else, If severity.level log field value is equal to 7 then, the security_result.severity UDM field is set to LOW.
Else The security_result.severity UDM field is set to UNKNOWN_SEVERITY.
severity.namesecurity_result.severity_details
severity.levelsecurity_result.detection_fields [severity_level]
resp_vulnerable_host.criticality (string)target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string)target.asset.vulnerabilities.severity_details
resp_vulnerable_host.cve (string)target.asset.vulnerabilities.cve_id
resp_vulnerable_host.host_uid (string)additional.fields [resp_vulnerable_host_uid]
resp_vulnerable_host.hostname (string)target.asset.hostname
resp_vulnerable_host.machine_domain (string)target.asset.network_domain
resp_vulnerable_host.os_version (string)target.asset.platform_software.platform_version
resp_vulnerable_host.source (string)target.asset.vulnerabilities.cve_description
orig_vulnerable_host.criticality (string)principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0 " then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string)principal.asset.vulnerabilities.severity_details
orig_vulnerable_host.cve (array[string] - vector of string)principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.host_uid (string)additional.fields [orig_vulnerable_host_uid]
orig_vulnerable_host.hostname (string)principal.asset.hostname
orig_vulnerable_host.machine_domain (string)principal.asset.network_domain
orig_vulnerable_host.os_version (string)principal.asset.platform_software.platform_version
orig_vulnerable_host.source (string)principal.asset.vulnerabilities.cve_description
+ +
+

Field mapping reference: CORELIGHT - smb_files

+ +The following table lists the log fields of the smb_files log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeIf the action log field value is equal to SMB::FILE_READ, then the metadata.event_type UDM field is set to FILE_READ.

Else, if the action log field value is equal to SMB::FILE_WRITE, then the metadata.event_type UDM field is set to FILE_MODIFICATION.

Else, if the action log field value is equal to SMB::FILE_OPEN, then the metadata.event_type UDM field is set to FILE_OPEN.

Else, if the action log field value is equal to SMB::FILE_CLOSE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, if the action log field value is equal to SMB::FILE_DELETE, then the metadata.event_type UDM field is set to FILE_DELETION.

Else, if the action log field value is equal to SMB::FILE_RENAME, then the metadata.event_type UDM field is set to FILE_MOVE.

Else, if the action log field value is equal to SMB::FILE_SET_ATTRIBUTE, then the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.

Else, the metadata.event_type UDM field is set to FILE_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMB.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
action, namemetadata.descriptionThe metadata.description UDM field is set with action, name log fields as "action: action on: name".
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
fuid (string)about.labels [fuid]
action (string - enum)target.labels [action]
path (string)target.file.full_path
name (string)target.file.names
size (integer - count)target.file.size
prev_name (string)src.file.names
times.modified (time)target.file.last_modification_time
times.accessed (time)target.file.last_seen_time
times.created (time)target.file.first_seen_time
times.changed (time)target.labels [times_changed]
data_offset_req (integer - count)target.labels [data_offset_req]
data_len_req (integer - count)target.labels [data_len_req]
data_len_rsp (integer - count)target.labels [data_len_rsp]
+ +
+

Field mapping reference: CORELIGHT - smb_mapping

+ +The following table lists the log fields of the smb_mapping log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMB.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
path (string)target.resource.attribute.labels [path]
service (string)target.application
native_file_system (string)target.resource.attribute.labels [native_file_system]
share_type (string)target.resource.resource_typeIf the share_type log field value is equal to DISK, then the target.resource.resource_type UDM field is set to STORAGE_OBJECT.

Else, if the share_type log field value is equal to PIPE, then the target.resource.resource_type UDM field is set to PIPE.

Else, the target.resource.resource_type UDM field is set to UNSPECIFIED.
share_type (string)target.resource.resource_subtype
+ +
+

Field mapping reference: CORELIGHT - ssl, ssl_red, ssl_agg

+ +The following table lists the log fields of the ssl, ssl_red, ssl_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to HTTPS.
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
security_result.actionThe security_result.action UDM field is set to ALLOW.
version (string)network.tls.version
cipher (string)network.tls.cipher
curve (string)network.tls.curve
server_name (string)network.tls.client.server_name
resumed (boolean - bool)network.tls.resumed
last_alert (string)security_result.description
next_protocol (string)network.tls.next_protocol
established (boolean - bool)network.tls.established
ssl_history (string)about.labels [ssl_history]
cert_chain_fps (array[string] - vector of string)target.labels [cert_chain_fps]
client_cert_chain_fps (array[string] - vector of string)principal.labels [client_cert_chain_fps]
sni_matches_cert (boolean - bool)about.labels [sni_matches_cert]
validation_status (string)security_result.description
ja3 (string)network.tls.client.ja3
ja3s (string)network.tls.server.ja3s
+ +
+

Field mapping reference: CORELIGHT - rdp

+ +The following table lists the log fields of the rdp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
cookie (string)principal.user.userid
result (string)about.labels [result]
security_protocol (string)target.labels [security_protocol]
client_channels (array[string] - vector of string)intermediary.labels [client_channels]
keyboard_layout (string)principal.labels [keyboard_layout]
client_build (string)principal.asset.software.version
client_name (string)principal.hostname
client_dig_product_id (string)principal.asset.product_object_id
desktop_width (integer - count)principal.labels [desktop_width]
desktop_height (integer - count)principal.labels [desktop_height]
requested_color_depth (string)principal.labels [requested_color_depth]
cert_type (string)about.labels [cert_type]
cert_count (integer - count)about.labels [cert_count]
cert_permanent (boolean - bool)about.labels [cert_permanent ]
encryption_level (string)about.labels [encryption_level]
encryption_method (string)about.labels [encryption_method]
auth_success (boolean - bool)security_result.actionIf the auth_success log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, the security_result.action UDM field is set to FAIL.
channels_joined (integer - int)intermediary.labels [channels_joined]
inferences (array[string] - set[string])about.labels [inferences]
rdpeudp_uid (string)about.labels [rdpeudp_uid]
network.ip_protocolThe network.ip_protocol UDM field is set to TCP.
rdfp_string (string)principal.labels [rdfp_string]
rdfp_hash (string)principal.labels [rdfp_hash]
result, security_protocolsecurity_result.descriptionThe security_result.description UDM field is set with result, security_protocol log fields as "result connection with security protocol security_protocol".
security_result.severityThe security_result.severity UDM field is set to INFORMATIONAL.
+ +
+

Field mapping reference: CORELIGHT - sip

+ +The following table lists the log fields of the sip log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SIP.
trans_depth (integer - count)about.labels [trans_depth]
method (string)about.labels [method]
uri (string)target.url
date (string)about.labels [date]
request_from (string)principal.labels [request_from]
request_to (string)target.labels [request_to]
response_fromprincipal.labels [response_from]
response_to (string)target.labels [response_to]
reply_to (string)about.labels [reply_to]
call_id (string)about.labels[call_id]
seq (string)about.labels [seq]
subject (string)about.labels [subject]
request_path (array[string] - vector of string)about.labels [request_path]
response_path (array[string] - vector of string)about.labels [response_path]
user_agent (string)about.labels [user_agent]
status_code (integer - count)about.labels [status_code]
status_msg (string)security_result.description
warning (string)security_result.summary
request_body_len (integer - count)network.sent_bytes
response_body_len (integer - count)network.received_bytes
content_type (string)about.labels [content_type]
+ +
+

Field mapping reference: CORELIGHT - intel

+ +The following table lists the log fields of the intel log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
seen.indicator_type (string - enum)entity.metadata.entity_typeIf the indicator.type log field value is equal to Intel::ADDR, then the metadata.entity_type UDM field is set to IP_ADDRESS.

Else, if the indicator.type log field value is equal to Intel::SUBNET or Intel::SOFTWARE or Intel::CERT_HASH or Intel::PUBKEY_HASH, then the metadata.entity_type UDM field is set to RESOURCE.

Else, if the indicator.type log field value is equal to Intel::URL, then the metadata.entity_type UDM field is set to URL.

Else, if the indicator.type log field value is equal to the Intel::EMAIL or Intel::USER_NAME, then the metadata.entity_type UDM field is set to USER.

Else, if the indicator.type log field value is equal to Intel::DOMAIN, then the metadata.entity_type UDM field is set to DOMAIN_NAME.

Else, if the indicator.type log field value is equal to the Intel::FILE_HASH or Intel::FILE_NAME, then the metadata.entity_type UDM field is set to FILE.

Else, the metadata.entity_type UDM field is set to RESOURCE.
seen.indicator (string)entity.ipIf the indicator.type log field value is equal to Intel::ADDR, then the seen.indicator log field is mapped to the entity.ip UDM field.
seen.indicator (string)entity.urlIf the indicator.type log field value is equal to Intel::URL, then the seen.indicator log field is mapped to the entity.url UDM field.
seen.indicator (string)entity.domain.nameIf the indicator.type log field value is equal to Intel::DOMAIN, then the seen.indicator log field is mapped to the entity.domain.name UDM field.
seen.indicator (string)entity.user.email_addressIf the indicator.type log field value is equal to Intel::USER_NAME or Intel::EMAIL, then the seen.indicator log field is mapped to the entity.user.email_address UDM field.
seen.indicator (string)entity.file.namesIf the indicator.type log field value is equal to Intel::FILE_HASH or Intel::FILE_NAME, then the seen.indicator log field is mapped to the entity.file.full_path UDM field.
seen.indicator (string)entity.resource.nameIf the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicator log field is mapped to the entity.resource.name UDM field.
entity.resource.resource_typeIf the indicator.type log field value is equal to Intel::SUBNET, then the entity.resource.resource_name UDM field is set to VPC_NETWORK.
seen.indicator_type (string - enum)entity.resource.resource_sub_typeIf the metadata.entity_type log field value is equal to RESOURCE, then the seen.indicator_type log field is mapped to the entity.resource.resource_sub_type UDM field.
seen.where (string - enum)entity.metadata.source_labels [seen_where]
matched (array[string] - set[enum])entity.labels [matched]
sources (array[string] - set[string])entity.metadata.source_labels [source]
fuid (string)about.labels [fuid]
file_mime_type (string)entity.file.mime_type
file_desc (string)metadata.threat.detection_fields [file_desc]
desc (array[string] - set[string])ioc.descriptionThe desc log field is mapped to ioc.description UDM field when index value in desc is equal to 0. +

For every other index value, entity.labels.key UDM field is set to desc and desc log field is mapped to the entity.labels.value.
url (array[string] - set[string])metadata.threat.url_back_to_product
confidence (array[number] - set[double])ioc.confidence_scoreThe confidence log field is mapped to ioc.confidence_score UDM field when index value in confidence is equal to 0. +

For every other index value, entity.labels.key UDM field is set to confidence and confidence log field is mapped to the entity.labels.value.
firstseen (array[string] - set[string])ioc.active_timerange.startThe firstseen log field is mapped to ioc.active_timerange.start UDM field when index value in firstseen is equal to 0. +

For every other index value, entity.labels.key UDM field is set to firstseen and firstseen log field is mapped to the entity.labels.value.
lastseen (array[string] - set[string])ioc.active_timerange.endThe lastseen log field is mapped to ioc.active_timerange.end UDM field when index value in lastseen is equal to 0. +

For every other index value, entity.labels.key UDM field is set to lastseen and lastseen log field is mapped to the entity.labels.value.
associated (array[string] - set[string])entity.labels [associated]
category (array[string] - set[string])ioc.categorizationThe category log field is mapped to ioc.categorization UDM field when index value in category is equal to 0. +

For every other index value, entity.labels.key UDM field is set to category and category log field is mapped to the entity.labels.value.
campaigns (array[string] - set[string])entity.labels [campaign]
reports (array[string] - set[string])entity.labels [report]
seen.indicator (string)about.labels [indicator]
seen.indicator_type (string - enum)about.labels [indicator_type]
seen.where (string - enum)about.labels [where]
sources (array[string] - set[string])about.labels [sources]
confidence (array[number] - set[double])about.labels [confidence]
category (array[string] - set[string])about.labels [category]
threat_score (array[number] - set[double])entity.security_result.detection_fields[threat_score]
verdict (array[string] - set[string])entity.security_result.verdict_info.verdict_responseIterate through verdict,
If the verdict log field value matches the regular expression pattern "(?i)Malicious" or the verdict log field value is equal to "1" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to MALICIOUS.
Else, If verdict log field value matches the regular expression pattern "(?i)Benign" or the verdict log field value is equal to "2" then, the "entity.security_result.verdict_info.verdict_response" UDM field is set to BENIGN.
Else The "entity.security_result.verdict_info.verdict_response" UDM field is set to VERDICT_RESPONSE_UNSPECIFIED.
verdict_source (array[string] - set[string])entity.security_result.verdict_info.source_providerIterate through verdict_source,
verdict_source log field is mapped to the entity.security_result.VerdictInfo.source_provider UDM field.
+ +
+

Field mapping reference: CORELIGHT - smtp

+ +The following table lists the log fields of the smtp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_SMTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SMTP.
trans_depth (integer - count)about.labels [trans_depth]
helo (string)network.smtp.helo
mailfrom (string)network.smtp.mail_from
rcptto (array[string] - set[string])network.smtp.rcpt_to
date (string)about.labels [date]
from (string)network.email.from
to (array[string] - set[string])network.email.to
cc (array[string] - set[string])network.email.cc
reply_to (string)network.email.reply_to
msg_id (string)network.email.mail_id
in_reply_to (string)about.labels [in_reply_to]
subject (string)network.email.subject
x_originating_ip (string - addr)principal.ip
first_received (string)about.labels [first_received]
second_received (string)about.labels [second_received]
last_reply (string)network.smtp.server_response
path (array[string] - vector of addr)network.smtp.message_pathIterate through log field path, then
if the index value is equal to 0 then, path log field is mapped to the network.smtp.message_path UDM field.
Else, path log field is mapped to the intermediary.ip UDM field.
user_agent (string)principal.application
tls (boolean - bool)network.smtp.is_tls
fuids (array[string] - vector of string)about.labels [fuid]
is_webmail (boolean - bool)network.smtp.is_webmail
urls (array[string] - set[string])about.url
domains (array[string] - set[string])about.domain.name
+ +
+

Field mapping reference: CORELIGHT - ssh

+ +The following table lists the log fields of the ssh log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to SSH.
version (integer - count)network.application_protocol_versionThe network.application_protocol_version UDM field is set with version log field as "SSH version".
auth_success (boolean - bool)security_result.action_details
auth_success (boolean - bool)security_result.actionIf the auth_success log field value is not equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to BLOCK.
auth_attempts (integer - count)extensions.auth.auth_detailsThe extensions.auth.auth_details UDM field is set with auth_attempts log field as "auth_attempts: auth_attempts".
direction (string - enum)network.directionIf the direction log field value is equal to INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the direction log field value is equal to OUTBOUND, then the network.direction UDM field is set to OUTBOUND.
client (string)principal.asset.software.version
server (string)target.asset.software.version
cipher_alg (string)network.tls.cipher
mac_alg (string)security_result.detection_fields [mac_alg]
compression_alg (string)security_result.detection_fields [compression_alg]
kex_alg (string)security_result.detection_fields [kex_alg]
host_key_alg (string)network.tls.server.certificate.version
host_key (string)network.tls.server.certificate.sha256
remote_location.country_code (string)target.location.country_or_region
remote_location.region (string)target.location.country_or_region
remote_location.city (string)target.location.city
remote_location.latitude (number - double)target.location.region_coordinates.latitude
remote_location.longitude (number - double)target.location.region_coordinates.longitude
hasshVersion (string)about.labels [hassh_version]
hassh (string)principal.labels [hassh]
hasshServer (string)target.labels [hassh_server]
cshka (string)about.labels [cshka]
hasshAlgorithms (string)about.labels [hassh_algorithms]
sshka (string)about.labels [sshka]
hasshServerAlgorithms (string)about.labels [hassh_server_algorithms]
inferences (array[string] - set[string])security_result.summary, security_result.description, security_result.detection_fields[inferences]If the inferences log field value is equal to ABP, then the security_result.summary UDM field is set to Client Authentication Bypass and the security_result.description UDM field is set to A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins.

+ If the inferences log field value is equal to AFR, then the security_result.summary UDM field is set to SSH Agent Forwarding Requested and the security_result.description UDM field is set to Agent Forwarding is requested by the Client.

+ If the inferences log field value is equal to APWA, then the security_result.summary UDM field is set to Automated Password Authentication and the security_result.description UDM field is set to The client authenticated with an automated password tool (like sshpass).

+ If the inferences log field value is equal to AUTO, then the security_result.summary UDM field is set to Automated Interaction and the security_result.description UDM field is set to The client is a script automated utility and not driven by a user.

+ If the inferences log field value is equal to BAN, then the security_result.summary UDM field is set to Server Banner and the security_result.description UDM field is set to The server sent the client a pre-authentication banner, likely for legal reasons.

+ If the inferences log field value is equal to BF, then the security_result.summary UDM field is set to Client Brute Force Guessing and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

+ If the inferences log field value is equal to BFS, then the security_result.summary UDM field is set to Client Brute Force Success and the security_result.description UDM field is set to A client made a number of authentication attempts that exceeded some configured, pre-connection threshold.

+ If the inferences log field value is equal to CTS, then the security_result.summary UDM field is set to Client Trusted Server and the security_result.description UDM field is set to The client already has an entry in its known_hosts file for this server.

+ If the inferences log field value is equal to CUS, then the security_result.summary UDM field is set to Client Untrusted Server and the security_result.description UDM field is set to The client did not have an entry in its known_hosts file for this server.

+ If the inferences log field value is equal to IPWA, then the security_result.summary UDM field is set to Interactive Password Authentication and the security_result.description UDM field is set to The client interactively typed their password to authenticate.

+ If the inferences log field value is equal to KS, then the security_result.summary UDM field is set to Keystrokes and the security_result.description UDM field is set to An interactive session occurred in which the client set user-driven keystrokes to the server.

+ If the inferences log field value is equal to LFD, then the security_result.summary UDM field is set to Large Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

+ If the inferences log field value is equal to LFU, then the security_result.summary UDM field is set to Large Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server. Large file are identified dynamically based on trains of MTU-sized packets.

+ If the inferences log field value is equal to MFA, then the security_result.summary UDM field is set to Multifactor Authentication and the security_result.description UDM field is set to The server required a second form of authentication (a code) after password or public key was accepted, and the client successfully provided it.

+ If the inferences log field value is equal to NA, then the security_result.summary UDM field is set to None Authentication and the security_result.description UDM field is set to The client successfully authenticated using the None method.

+ If the inferences log field value is equal to NRC, then the security_result.summary UDM field is set to No Remote Command and the security_result.description UDM field is set to The -N flag was used in SSH authentication.

+ If the inferences log field value is equal to PKA, then the security_result.summary UDM field is set to Public Key Authentication and the security_result.description UDM field is set to The client automatically authenticated using pubkey authentication.

+ If the inferences log field value is equal to RSI, then the security_result.summary UDM field is set to Reverse SSH Initiated and the security_result.description UDM field is set to The Reverse session is initiated from the server back to the client.

+ If the inferences log field value is equal to RSIA, then the security_result.summary UDM field is set to Reverse SSH Initiated Automated and the security_result.description UDM field is set to The inititation of the Reverse session happened very early in the packet stream, indicating automation.

+ If the inferences log field value is equal to RSK, then the security_result.summary UDM field is set to Reverse SSH Keystrokes and the security_result.description UDM field is set to Keystrokes are detected within the Reverse tunnel.

+ If the inferences log field value is equal to RSL, then the security_result.summary UDM field is set to Reverse SSH Logged In and the security_result.description UDM field is set to The Reverse Tunnel login has succeeded.

+ If the inferences log field value is equal to RSP, then the security_result.summary UDM field is set to Reverse SSH Provisioned and the security_result.description UDM field is set to The client connected with -R flag, which provisions the port to be used for a Reverse Session set up at any future time.

+ If the inferences log field value is equal to SA, then the security_result.summary UDM field is set to Authentication Scanning and the security_result.description UDM field is set to The client scanned authentication method with the server and then disconnected.

+ If the inferences log field value is equal to SC, then the security_result.summary UDM field is set to Capabilities Scanning and the security_result.description UDM field is set to The client exchanged capabilities with the server and then disconnected.

+ If the inferences log field value is equal to SFD, then the security_result.summary UDM field is set to Small Client File Download and the security_result.description UDM field is set to A file transfer occurred in which the server sent a sequence of bytes to the client.

+ If the inferences log field value is equal to SFU, then the security_result.summary UDM field is set to Small Client File Upload and the security_result.description UDM field is set to A file transfer occurred in which the client sent a sequence of bytes to the server.

+ If the inferences log field value is equal to SP, then the security_result.summary UDM field is set to Other Scanning and the security_result.description UDM field is set to A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.

+ If the inferences log field value is equal to SV, then the security_result.summary UDM field is set to Version Scanning and the security_result.description UDM field is set to A client exchanged version strings with the server and than disconnected.

+ If the inferences log field value is equal to UA, then the security_result.summary UDM field is set to Unknown Authentication and the security_result.description UDM field is set to The authentication method is not determinated or is unknown.
+ +
+

Field mapping reference: CORELIGHT - suricata_corelight

+ +The following table lists the log fields of the suricata_corelight log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Suricata.
id.vlan (integer - count)intermediary.labels [id_vlan]
id.vlan_inner (integer - count)intermediary.labels [id_vlan_inner]
icmp_type (integer - count)about.labels [icmp_type]
icmp_code (integer - count)about.labels [icmp_code]
suri_id (string)metadata.product_log_id
service (string)network.application_protocol
flow_id (integer - count)about.labels[flow_id]
tx_id (integer - count)about.labels [tx_id]
pcap_cnt (integer - count)about.labels [pcap_cnt]
alert.action (string)security_result.action_details
alert.gid (integer - count)security_result.detection_fields [alert_gid]
alert.signature_id (integer - count)security_result.rule_id
alert.rev (integer - count)security_result.rule_version
alert.signature (string)security_result.summary
alert.signature (string)security_result.rule_name
alert.category (string)security_result.category_details
alert.severity (integer - count)security_result.severity_details
alert.metadata (array[string] - vector of string)security_result.rule_labels[alert_metadata]
community_id (string)network.community_id
payload (string)about.labels [payload]
payload (string)about.labels [payload_decoded]
packet (string)about.labels [packet]
packet (string)about.labels [packet_decoded]
metadata (array[string] - vector of string)security_result.rule_labels[metadata]
orig_cve (string)extensions.vulns.vulnerabilities.cve_id
resp_cve (string)extensions.vulns.vulnerabilities.cve_id
signature_severitysecurity_result.severityIf alert.rule log field value matches the grok pattern signature_severity (?Critical|Major|Minor|Informational) then
If the signature_severity extracted field value is equal to Critical then, the security_result.severity UDM field is set to CRITICAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Major then, the security_result.severity UDM field is set to MEDIUM and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Minor then, the security_result.severity UDM field is set to LOW and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
Else, If signature_severity extracted field value is equal to Informational then, the security_result.severity UDM field is set to INFORMATIONAL and signature_severity extracted field is mapped to the security_result.severity_details UDM field.
orig_vulnerable_host.cve (array[string] - vector of string)principal.asset.vulnerabilities.cve_id
orig_vulnerable_host.hostname(string)principal.asset.hostname
orig_vulnerable_host.host_uid(string)about.labels [orig_vulnerable_host_uid]
orig_vulnerable_host.machine_domain(string)principal.asset.network_domain
orig_vulnerable_host.os_version(string)principal.asset.platform_software.platform_version
orig_vulnerable_host.source(string)principal.asset.vulnerabilities.cve_description
resp_vulnerable_host.cve(string)target.asset.vulnerabilities.cve_id
resp_vulnerable_host.hostname(string)target.asset.hostname
resp_vulnerable_host.host_uid(string)about.labels [resp_vulnerable_host_uid]
resp_vulnerable_host.machine_domain(string)target.asset.network_domain
resp_vulnerable_host.os_version(string)target.asset.platform_software.platform_version
resp_vulnerable_host.source(string)target.asset.vulnerabilities.cve_description
service (string)about.labels [service]
alert.rule (string)security_result.description
alert.references (array[string] - vector of string)security_result.detection_fields[alert_references]iterate through alert.references,
alert.references log field is mapped to the security_result.detection_fields.alert_references UDM field.
payload_printable (string)security_result.detection_fields[payload_printable]
references (array[string] - vector of string)security_result.detection_fields[references]iterate through references,
references log field is mapped to the security_result.detection_fields.references UDM field.
orig_vulnerable_host.criticality (string)principal.asset.vulnerabilities.severity
If the orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the orig_vulnerable_host.criticality log field value is equal to "4" then, the "principal.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the orig_vulnerable_host.criticality log field value is equal to "3" then, the "principal.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the orig_vulnerable_host.criticality log field value is equal to "1" then, the "principal.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the orig_vulnerable_host.criticality log field value is equal to "2" then, the "principal.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If orig_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the orig_vulnerable_host.criticality log field value is equal to "0" then, the "principal.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
orig_vulnerable_host.criticality (string)principal.asset.vulnerabilities.severity_details
resp_vulnerable_host.criticality (string)target.asset.vulnerabilities.severity
If the resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Critical" or the resp_vulnerable_host.criticality log field value is equal to "4 " then, the "target.asset.vulnerabilities.severity" UDM field is set to CRITICAL.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)High" or the resp_vulnerable_host.criticality log field value is equal to "3 " then, the "target.asset.vulnerabilities.severity" UDM field is set to HIGH.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Low" or the resp_vulnerable_host.criticality log field value is equal to "1 " then, the "target.asset.vulnerabilities.severity" UDM field is set to LOW.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Medium" or the resp_vulnerable_host.criticality log field value is equal to "2 " then, the "target.asset.vulnerabilities.severity" UDM field is set to MEDIUM.
Else, If resp_vulnerable_host.criticality log field value matches the regular expression pattern "(?i)Unknown_Severity" or the resp_vulnerable_host.criticality log field value is equal to "0 " then, the "target.asset.vulnerabilities.severity" UDM field is set to UNKNOWN_SEVERITY.
resp_vulnerable_host.criticality (string)target.asset.vulnerabilities.severity_details
rule_contentsecurity_result.detection_fields[alert_rule_content]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}content:\\"%{GREEDYDATA:rule_content}\\" then, the rule_content extracted field is mapped to security_result.detection_fields [alert_rule_content] UDM field.
rule_classtypesecurity_result.detection_fields [alert_rule_classtype]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}classtype:%{DATA:rule_classtype}; then, the rule_classtype extracted field is mapped to security_result.detection_fields [alert_rule_classtype] UDM field.
reference_urlsecurity_result.detection_fields[alert_rule_reference_url]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}reference:url,%{DATA:reference_url}; then, the reference_url extracted field is mapped to security_result.detection_fields [alert_rule_reference_url] UDM field.
attack_targetsecurity_result.detection_fields[alert_rule_attack_target]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The attack_target is extracted from rule_metadata using kv filter then the extracted attack_target field is mapped to security_result.detection_fields [alert_rule_attack_target] UDM field.
created_atsecurity_result.detection_fields[alert_rule_created_at]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The created_at is extracted from rule_metadata using kv filter then the extracted created_at field is mapped to security_result.detection_fields [alert_rule_created_at] UDM field.
deploymentsecurity_result.detection_fields[alert_rule_deployment]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The deployment is extracted from rule_metadata using kv filter then the extracted deployment field is mapped to security_result.detection_fields [alert_rule_deployment] UDM field.
performance_impactsecurity_result.detection_fields[alert_rule_performance_impact]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The performance_impact is extracted from rule_metadata using kv filter then the extracted performance_impact field is mapped to security_result.detection_fields [alert_rule_performance_impact] UDM field.
updated_atsecurity_result.detection_fields[alert_rule_updated_at]If alert.rule log field value matches the grok pattern %{GREEDYDATA:_}metadata:%{DATA:rule_metadata}; and, The updated_at is extracted from rule_metadata using kv filter then the extracted updated_at field is mapped to security_result.detection_fields [alert_rule_updated_at] UDM field.
uritarget.urlIf the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the uri extracted field is mapped to target.url UDM field.
http_methodnetwork.http.methodIf the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the http_method extracted field is mapped to network.http.method UDM field.
proto_versionnetwork.application_protocol_versionIf the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern %{WORD:http_method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:proto_version} then, the proto_version extracted field is mapped to network.application_protocol_version UDM field.
user_agenttarget.http.useragentIf the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^User-Agent: %{GREEDYDATA:user_agent} then, the user_agent extracted field is mapped to target.http.useragent UDM field.
hostnametarget.hostnameIf the payload_printable log field is not empty then, If payload_printable log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.

Else If the payload log field is not empty then, If payload log field value matches the grok pattern ^Host: %{IPORHOST:hostname} then, the hostname extracted field is mapped to target.hostname UDM field.
meta (array[string] - vector of string)additional.fields [meta]
+ +
+

Field mapping reference: CORELIGHT - bacnet

+ +The following table lists the log fields of the bacnet log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
bvlc_function (string)about.labels [bvlc_function]
bvlc_len (integer - count)about.labels [bvlc_len]
apdu_type (string)about.labels [apdu_type]
service_choice (string)about.labels [service_choice]
data (array[string] - vector of string)about.labels [data]
invoke_id (integer - count)additional.fields [invoke_id]
is_orig (boolean - bool)additional.fields [is_orig]
pdu_service (string)additional.fields [pdu_service]
pdu_type (string)additional.fields [pdu_type]
result_code (string)additional.fields [result_code]
+ +
+

Field mapping reference: CORELIGHT - cip

+ +The following table lists the log fields of the cip log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
service (string)about.labels [service]
status (string)about.labels [status]
tags (string)about.labels [tag]
attribute_id (string)additional.fields [attribute_id]
cip_extended_status (string)additional.fields [cip_extended_status]
cip_extended_status_code (string)additional.fields [cip_extended_status_code]
cip_sequence_count (integer - count)additional.fields [cip_sequence_count]
cip_service (string)additional.fields [cip_service]
cip_service_code (string)additional.fields [cip_service_code]
cip_status (string)security_result.description
cip_status_code (string)additional.fields [cip_status_code]
class_id (string)additional.fields [class_id]
class_name (string)additional.fields [class_name]
direction (string)network.directionIf the direction log field value is equal to INBOUND, then the network.direction UDM field is set to INBOUND.

Else, if the direction log field value is equal to OUTBOUND, then the network.direction UDM field is set to OUTBOUND

Else, direction log field is mapped to the additional.fields.key UDM field and direction log field is mapped to the additional.fields.value UDM field.
instance_id (string)additional.fields [instance_id]
is_orig (boolean - bool)additional.fields [is_orig]
+ +
+

Field mapping reference: CORELIGHT - corelight_burst

+ +The following table lists the log fields of the corelight_burst log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
orig_size (integer - count)network.sent_bytes
resp_size (integer - count)network.received_bytes
mbps (number - double)about.labels [mbps]
age_of_conn (number - interval)about.labels [age_of_conn]
+ +
+

Field mapping reference: CORELIGHT - corelight_overall_capture_loss

+ +The following table lists the log fields of the corelight_overall_capture_loss log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
gaps (number - double)security_result.detection_fields [gaps]
acks (number - double)security_result.detection_fields [acks]
percent_lost (number - double)security_result.detection_fields [percent_lost]
metadata.descriptionThe metadata.description UDM field is set with _system_name, percent_lost, ts. log fields as "node _system_name experienced percent_lost% packet loss at ts.".
+ +
+

Field mapping reference: CORELIGHT - corelight_profiling

+ +The following table lists the log fields of the corelight_profiling log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_NETWORK.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
node (string)principal.hostname
prof.core_stack (string)about.labels [prof_core_stack]
prof.script_stack (string)about.labels [prof_script_stack]
prof.sched_wait_ns (integer - count)about.labels [prof_sched_wait_ns]
+ +
+

Field mapping reference: CORELIGHT - datared

+ +The following table lists the log fields of the datared log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
conn_red (integer - count)about.labels [conn_red]
conn_total (integer - count)about.labels [conn_total]
dns_red (integer - count)about.labels [dns_red]
dns_total (integer - count)about.labels [dns_total]
dns_coal_miss (integer - count)about.labels [dns_coal_miss]
files_red (integer - count)about.labels [files_red]
files_total (integer - count)about.labels [files_total]
files_coal_miss (integer - count)about.labels [files_coal_miss]
http_red (integer - count)about.labels [http_red]
http_total (integer - count)about.labels [http_total]
ssl_red (integer - count)about.labels [ssl_red]
ssl_total (integer - count)about.labels [ssl_total]
ssl_coal_miss (integer - count)about.labels [ssl_coal_miss]
weird_red (integer - count)about.labels [weird_red]
weird_total (integer - count)about.labels [weird_total]
x509_red (integer - count)about.labels [x509_red]
x509_total (integer - count)about.labels [x509_total]
x509_coal_miss (integer - count)about.labels [x509_coal_miss]
+ +
+

Field mapping reference: CORELIGHT - dhcp

+ +The following table lists the log fields of the dhcp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DHCP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DHCP.
uids (array[string] - set[string])about.labels [uid]
client_addr (string - addr)network.dhcp.ciaddr
server_addr (string - addr)network.dhcp.siaddr
mac (string)network.dhcp.chaddr
host_name (string)network.dhcp.client_hostname
client_fqdn (string)principal.domain.name
domain (string)target.domain.name
requested_addr (string - addr)network.dhcp.requested_address
assigned_addr (string - addr)network.dhcp.yiaddr
lease_time (number - interval)network.dhcp.lease_time_seconds
client_message (string)security_result.description
server_message (string)security_result.description
msg_types (array[string] - vector of string)network.dhcp.typeThe msg_types log field is mapped to network.dhcp.type UDM field when index value in msg_types is equal to 0. +

For every other index value, about.labels.key UDM field is set to msg_types and msg_types log field is mapped to the about.labels.value.
duration (number - interval)about.labels [duration]
+ +
+

Field mapping reference: CORELIGHT - dga

+ +The following table lists the log fields of the dga log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
query (string)network.dns.questions.name
family (string)about.labels [family]
qtype_name (string)about.labels [qtype_name]
rcode (integer - count)network.dns.response_code
is_collision_heavy (boolean - bool)security_result.detection_fields [is_collision_heavy]
ruse (boolean - bool)about.labels [ruse]
+ +
+

Field mapping reference: CORELIGHT - dnp3

+ +The following table lists the log fields of the dnp3 log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fc_request (string)about.labels [fc_request]
fc_reply (string)about.labels [fc_reply]
iin (integer - count)about.labels [iin]
+ +
+

Field mapping reference: CORELIGHT - iso_cotp

+ +The following table lists the log fields of the iso_cotp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
pdu_type (string)about.labels [pdu_type]
+ +
+

Field mapping reference: CORELIGHT - kerberos

+ +The following table lists the log fields of the kerberos log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to KRB5.
request_type (string)extensions.auth.auth_details
client (string)principal.hostname
service (string)target.application
success (boolean - bool)security_result.actionIf the success log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
error_msg (string)security_result.description
from (time)about.labels [from]
till (time)about.labels [till]
cipher (string)about.labels [cipher]
forwardable (boolean - bool)about.labels [forwardable]
renewable (boolean - bool)about.labels [renewable]
client_cert_subject (string)about.labels [client_cert_subject]
client_cert_fuid (string)about.labels [client_cert_fuid]
server_cert_subject (string)about.labels [server_cert_subject]
server_cert_fuid (string)about.labels [server_cert_fuid]
+ +
+

Field mapping reference: CORELIGHT - ldap

+ +The following table lists the log fields of the ldap log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to LDAP.
proto (string)about.labels [proto]
message_id (integer - int)about.labels [message_id]
version (integer - int)network.application_protocol_version
opcode (array[string] - set[string])security_result.detection_fields [opcode]
result (array[string] - set[string])security_result.detection_fields [result], security_result.actionIterate through log field result, then
if the result log field value contain one of the following values
  • ALLOW
  • ALLOW_WITH_MODIFICATION
  • BLOCK
  • CHALLENGE
  • FAIL
  • QUARANTINE
  • UNKNOWN_ACTION
then, result log field is mapped to the security_result.action UDM field.
diagnostic_message (array[string] - vector of string)security_result.description
object (array[string] - vector of string)target.resource.name, about.labels [object]Iterate through log field object, then
if the index value is equal to 0 then, object log field is mapped to the target.resource.name UDM field.
Else, the about.labels.key UDM field is set to object and %{object} log field is mapped to the about.labels.value UDM field.
argument (array[string] - vector of string)about.labels [argument]
+ +
+

Field mapping reference: CORELIGHT - ldap_search

+ +The following table lists the log fields of the ldap_search log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to LDAP.
proto (string)about.labels [proto]
message_id (integer - int)about.labels [message_id]
scope (array[string] - set[string])about.labels [scope]
deref (array[string] - set[string])about.labels [deref]
base_object (array[string] - vector of string)about.labels [base_object]
result_count (integer - count)security_result.detection_fields [result_count]
result (array[string] - set[string])security_result.detection_fields [result]
diagnostic_message (array[string] - vector of string)security_result.description
filter (string)about.labels [filter]
attributes (array[string] - vector of string)about.labels [attributes]
+ +
+

Field mapping reference: CORELIGHT - local_subnets

+ +The following table lists the log fields of the local_subnets log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
round (integer - count)about.labels [round]
ip_version (integer - count)about.labels [ip_version]
subnets (array[string] - set[subnet])about.labels [subnet]
component_ids (array[integer] - set[count])about.labels [component_id]
size_of_component (integer - count)about.labels [size_of_component]
bipartite (boolean - bool)about.labels [bipartite]
inferred_site (boolean - bool)about.labels [inferred_site]
other_ips (array[string] - set[addr])about.ip
+ +
+

Field mapping reference: CORELIGHT - local_subnets_dj

+ +The following table lists the log fields of the local_subnets_dj log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip_version (integer - count)about.labels [ip_version]
v (string - addr)about.ip
side (string)about.labels [side]
component_id (integer - count)additional.fields [component_id]
round (integer - count)additional.fields [round]
+ +
+

Field mapping reference: CORELIGHT - local_subnets_graphs

+ +The following table lists the log fields of the local_subnets_graphs log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
ip_version (integer - count)about.labels [ip_version]
v1 (string - addr)about.ip
v2 (string - addr)about.ip
+ +
+

Field mapping reference: CORELIGHT - syslog

+ +The following table lists the log fields of the syslog log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
proto (string - enum)network.ip_protocol
facility (string)about.labels [facility]
severity (string)security_result.severity, security_result.severity_detailsIf the severity log field value contain one of the following values
  • CRITICAL
  • ERROR
  • HIGH
  • INFORMATIONAL
  • LOW
  • MEDIUM
then, severity log field is mapped to the security_result.severity UDM field.
message (string)metadata.description
+ +
+

Field mapping reference: CORELIGHT - tds

+ +The following table lists the log fields of the tds log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
command (string)principal.process.command_line
+ +
+

Field mapping reference: CORELIGHT - tds_rpc

+ +The following table lists the log fields of the tds_rpc log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
procedure_name (string)about.labels [procedure_name]
parameters (array[string] - vector of string)about.labels [parameter]
+ +
+

Field mapping reference: CORELIGHT - tds_sql_batch

+ +The following table lists the log fields of the tds_sql_batch log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
target.resource.resource_typeThe target.resource.resource_type UDM field is set to DATABASE.
header_type (string)target.resource.attribute.labels [header_type]
query (string)target.resource.attribute.labels [query]
+ +
+

Field mapping reference: CORELIGHT - traceroute

+ +The following table lists the log fields of the traceroute log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
src (string - addr)principal.ip
dst (string - addr)target.ip
proto (string)network.ip_protocol
+ +
+

Field mapping reference: CORELIGHT - tunnel

+ +The following table lists the log fields of the tunnel log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
tunnel_type (string - enum)intermediary.labels [tunnel_type]
action (string - enum)security_result.action_details
security_result.descriptionThe security_result.description UDM field is set with action, tunnel_type log fields as "action action on tunnel type tunnel_type".
+ +
+

Field mapping reference: CORELIGHT - weird, weird_red, weird_agg

+ +The following table lists the log fields of the weird, weird_red, weird_agg log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
name (string)metadata.product_event_type
addl (string)metadata.description
notice (boolean - bool)about.labels [notice]
source (string)metadata.product_name
peer (string)observer.hostname
+ +
+

Field mapping reference: CORELIGHT - wireguard

+ +The following table lists the log fields of the wireguard log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
established (boolean - bool)about.labels [established]
initiations (integer - count)about.labels [initiations]
responses (integer - count)about.labels [responses]
+ +
+

Field mapping reference: CORELIGHT - vpn

+ +The following table lists the log fields of the vpn log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
vpn_type (string - enum)about.labels [vpn_type]
service (string)target.application
inferences (array[string] - set[string])metadata.description, about.labels [inference]Iterate through log field inferences, then
if the index value is equal to 0 then, inferences log field is mapped to the metadata.description UDM field.
server_name (string)network.tls.client.server_name
client_info (string)network.http.user_agent
duration (number - interval)network.session_duration
orig_bytes (integer - count)network.sent_bytes
resp_bytes (integer - count)network.received_bytes
orig_cc (string)principal.location.country_or_region
orig_region (string)principal.location.country_or_region
orig_city (string)principal.location.city
resp_cc (string)target.location.country_or_region
resp_region (string)target.location.country_or_region
resp_city (string)target.location.city
subject (string)network.tls.client.certificate.subject
issuer (string)network.tls.client.certificate.issuer
ja3 (string)network.tls.client.ja3
ja3s (string)network.tls.server.ja3s
+ +
+

Field mapping reference: CORELIGHT - x509, x509_red

+ +The following table lists the log fields of the x509, x509_red log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
fingerprint (string)about.domain.last_https_certificate.thumbprint
certificate.version (integer - count)about.domain.last_https_certificate.version
certificate.serial (string)about.domain.last_https_certificate.serial_number
certificate.subject (string)about.domain.last_https_certificate.subject
certificate.issuer (string)about.domain.last_https_certificate.issuerIf certificate.issuer log field value matches the grok pattern CN=%{GREEDYDATA:common_name},OU=%{GREEDYDATA:organizational_unit},O=%{GREEDYDATA:organization},C=%{DATA:country}$ then the extracted common_name, organizational_unit, organization and country fields are mapped to about.domain.last_https_certificate.issuer.common_name, about.domain.last_https_certificate.issuer.organizational_unit, about.domain.last_https_certificate.issuer.organization, and about.domain.last_https_certificate.issuer.country_name UDM fields respectively.
certificate.not_valid_before (time)about.domain.last_https_certificate.validity.issue_time
certificate.not_valid_after (time)about.domain.last_https_certificate.validity.expiry_time
certificate.key_alg (string)about.labels [public_key_algorithm]
certificate.sig_alg (string)about.domain.last_https_certificate.signature_algorithm
certificate.key_type (string)about.domain.last_https_certificate.public_key.algorithm
certificate.key_length (integer - count)about.domain.last_https_certificate.public_key.rsa.key_size
certificate.exponent (string)about.domain.last_https_certificate.public_key.rsa.exponent
certificate.curve (string)about.domain.last_https_certificate.ec.oid
san.dns (array[string] - vector of string)about.domain.last_https_certificate.extension.subject_alternative_name
san.uri (array[string] - vector of string)about.url
san.email (array[string] - vector of string)about.labels [san_email]
san.ip (array[string] - vector of addr)about.ip
basic_constraints.ca (boolean - bool)about.domain.last_https_certificate.extension.ca
basic_constraints.path_len (integer - count)about.labels [basic_constraints_path_len]
host_cert (boolean - bool)about.labels [host_cert]
client_cert (boolean - bool)about.labels [client_cert]
vlan (integer - int)additional.fields [vlan]
vlan_inner (integer - int)additional.fields [vlan_inner]
+ +
+

Field mapping reference: CORELIGHT - unknown-smartpcap

+ +The following table lists the log fields of the unknown-smartpcap log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Smartpcap.
tid (string)about.labels [tid]
pkts (integer - count)about.labels [pkts]
url (string)security_result.url_back_to_product
+ +
+

Field mapping reference: CORELIGHT - mysql

+ +The following table lists the log fields of the mysql log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_RESOURCE_ACCESS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
cmd (string)target.resource.attribute.labels [cmd]
arg (string)principal.process.command_line
success (boolean - bool)target.resource.attribute.labels [success]
rows (integer - count)target.resource.attribute.labels [rows]
response (string)target.resource.attribute.labels [response]
target.resource.resource_typeThe target.resource.resource_type UDM field is set to DATABASE.
+ +
+

Field mapping reference: CORELIGHT - napatech_shunting

+ +The following table lists the log fields of the napatech_shunting log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
peer (string)about.labels [peer]
terminated_flows (integer - count)about.labels [terminated_flows]
shunted_flows (integer - count)security_result.detection_fields [shunted_flows]
+ +
+

Field mapping reference: CORELIGHT - ntlm

+ +The following table lists the log fields of the ntlm log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
username (string)target.user.userid
hostname (string)principal.hostname
domainname (string)principal.domain.name
server_nb_computer_name (string)target.hostname
server_dns_computer_name (string)target.domain.name
server_tree_name (string)target.labels [server_tree_name]
success (boolean - bool)extensions.auth.auth_detailsIf the success log field value is equal to true, then the extensions.auth.auth_details UDM field is set to Authentication successful.

Else, the extensions.auth.auth_details UDM field is set to Authentication failed.
+ +
+

Field mapping reference: CORELIGHT - pe

+ +The following table lists the log fields of the pe log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
id (string)about.labels [id]
machine (string)target.labels [machine]
compile_ts (time)target.file.pe_file.section
os (string)target.platformIf the os log field value is equal to windows, then the target.platform UDM field is set to WINDOWS.

Else, if is equal to linux, then the target.platform UDM field is set to LINUX.

Else, if the os log field value is equal to mac or the os log field value is equal to osx, then the target.platform UDM field is set to MAC.
subsystem (string)target.application
is_exe (boolean - bool)about.file.file_typeIf the is_exe log field value is equal to true, then the about.file.file_type UDM field is set to FILE_TYPE_PE_EXE.
is_64bit (boolean - bool)about.labels [is_64bit]
uses_aslr (boolean - bool)about.labels [uses_aslr]
uses_dep (boolean - bool)about.labels [uses_dep]
uses_code_integrity (boolean - bool)about.labels [uses_code_integrity]
uses_seh (boolean - bool)about.labels [uses_seh ]
has_import_table (boolean - bool)about.labels [has_import_table]
has_export_table (boolean - bool)about.labels [has_export_table]
has_cert_table (boolean - bool)about.labels [has_cert_table]
has_debug_data (boolean - bool)about.labels [has_debug_data]
section_names (array[string] - vector of string)target.file.pe_file.sectionIterate through log field section_names, then
section_names log field is mapped to the target.file.pe_file.section UDM field.
+ +
+

Field mapping reference: CORELIGHT - ntp

+ +The following table lists the log fields of the ntp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to NTP.
network.ip_protocolThe network.ip_protocol UDM field is set to UDP.
version (integer - count)network.application_protocol_version
mode (integer - count)about.labels [mode]
stratum (integer - count)about.labels [stratum]
poll (number - interval)about.labels [poll]
precision (number - interval)about.labels [precision]
root_delay (number - interval)about.labels [root_delay]
root_disp (number - interval)about.labels [root_disp]
ref_id (string)target.ipIf the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field. +

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_id (string)target.labels [ref_id]If the ref_idlog field value is matched with regex of IP, then the ref_idlog field is mapped to the target.ip UDM field. +

Else, the ref_idlog field is mapped to the target.labels UDM field.
ref_time (time)about.labels [ref_time]
org_time (time)about.labels [org_time]
rec_time (time)about.labels [rec_time]
xmt_time (time)about.labels [rec_time]
num_exts (integer - count)about.labels [num_exts]
+ +
+

Field mapping reference: CORELIGHT - radius

+ +The following table lists the log fields of the radius log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to USER_LOGIN.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
username (string)target.user.userid
mac (string)principal.mac
framed_addr (string - addr)intermediary.ip
tunnel_client (string)intermediary.ipIf the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
tunnel_client (string)intermediary.domain.nameIf the tunnel_client log field value is matched with regex of IP, then the tunnel_client log field is mapped to the intermediary.ip UDM field.

Else, the tunnel_client log field is mapped to the intermediary.domain.name UDM field.
connect_info (string)about.labels [connect_info]
reply_msg (string)extensions.auth.auth_details
result (string)security_result.actionIf the result log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, the security_result.action UDM field is set to FAIL.
ttl (number - interval)network.session_duration
+ +
+

Field mapping reference: CORELIGHT - reporter

+ +The following table lists the log fields of the reporter log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
level (string - enum)security_result.severityIf the level log field value is equal to CRITICAL or ERROR or HIGH or INFORMATIONAL or LOW or MEDIUM, then the level log field is mapped to the security_result.severity UDM field.
level (string - enum)security_result.severity_details
message (string)security_result.description
location (string)about.labels [location]
+ +
+

Field mapping reference: CORELIGHT - log4shell

+ +The following table lists the log fields of the log4shell log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_HOST.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
extensions.vulns.vulnerabilities.cve_idThe extensions.vulns.vulnerabilities.cve_id UDM field is set to CVE-2021-44228.
http_uri (string)about.labels [http_uri]
uri (string)target.url
stem (string)target.labels [stem]
target_host (string)target.hostname
target_port (string)target.port
method (string)network.http.method
is_orig (boolean - bool)about.labels [is_orig]
name (string)about.labels.key
value (string)about.labels.value
matched_name (boolean - bool)about.labels [matched_name]
matched_value (boolean - bool)about.labels [matched_value]
+ +
+

Field mapping reference: CORELIGHT - modbus

+ +The following table lists the log fields of the modbus log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MODBUS.
func (string)about.labels [func]
exception (string)security_result.description
pdu_type (string)additional.fields [pdu_type]
tid (integer - count)additional.fields [tid]
unit (integer - count)additional.fields [unit]
+ +
+

Field mapping reference: CORELIGHT - mqtt_connect

+ +The following table lists the log fields of the mqtt_connect log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
proto_name (string)about.labels [proto_name]
proto_version (string)network.application_protocol_version
client_id (string)principal.labels [client_id]
connect_status (string)security_result.description
will_topic (string)target.resource.name
will_payload (string)about.labels [will_payload]
+ +
+

Field mapping reference: CORELIGHT - mqtt_publish

+ +The following table lists the log fields of the mqtt_publish log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
from_client (boolean - bool)about.labels [from_client]
retain (boolean - bool)target.labels [retain]
qos (string)about.labels [qos]
status (string)security_result.description
topic (string)target.resource.name
payload (string)about.labels [payload]
payload_len (integer - count)about.labels [payload_len]
+ +
+

Field mapping reference: CORELIGHT - mqtt_subscribe

+ +The following table lists the log fields of the mqtt_subscribe log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to MQTT.
action (string - enum)security_result.action_details
topics (array[string] - vector of string)target.resource.nameIterate through log field topics, then
if the index value is equal to 0 then, topics log field is mapped to the target.resource.name UDM field.
Else, the about.labels.key UDM field is set to topics and %{topics} log field is mapped to the about.labels.value UDM field.
qos_levels (array[integer] - vector of count)about.labels [qos_levels]
granted_qos_level (integer - count)about.labels [granted_qos_level]
ack (boolean - bool)security_result.action, security_result.detection_fields [ack]If the ack log field value is equal to true then, the security_result.action UDM field is set to ALLOW.
Else, if the ack log field value is equal to false then, the security_result.action UDM field is set to BLOCK.
Else, the security_result.detection_fields.key UDM field is set to ack and ack log field is mapped to the security_result.detection_fields.value UDM field.
+ +
+

Field mapping reference: CORELIGHT - dpd

+ +The following table lists the log fields of the dpd log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
proto (string - enum)network.ip_protocol
analyzer (string)about.labels [analyzer]
failure_reason (string)about.labels [failure_reason]
+ +
+

Field mapping reference: CORELIGHT - encrypted_dns

+ +The following table lists the log fields of the encrypted_dns log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
resp_h (string - addr)target.ip
cert.cn (string)about.labels [cert_cn]
cert.sans (array[string] - set[string])about.labels [cert_sans]
sni (string)network.tls.client.server_name
match (string)about.labels [match]
+ +
+

Field mapping reference: CORELIGHT - enip

+ +The following table lists the log fields of the enip log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
command (string)principal.process.command_line
length (integer - count)about.labels [length]
session_handle (string)about.labels[session_handle]
status (string)about.labels [status]
sender_context (string)about.labels [sender_context]
options (string)about.labels [options]
enip_command (string)additional.fields [enip_command]
enip_command_code (string)additional.fields [enip_command_code]
enip_status (string)additional.fields [enip_status]
is_orig (boolean - bool)additional.fields [is_orig]
+ +
+

Field mapping reference: CORELIGHT - enip_debug

+ +The following table lists the log fields of the enip_debug log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to STATUS_UPDATE.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
raw_data (string)about.labels [raw_data]
+ +
+

Field mapping reference: CORELIGHT - enip_list_identity

+ +The following table lists the log fields of the enip_list_identity log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
device_type (string)target.asset.attribute.labels [device_type]
vendor (string)target.asset.hardware.manufacturer
product_name (string)target.asset.attribute.labels [product_name]
serial_number (string)target.asset.asset_idThe target.asset.asset_id UDM field is set with serial_number log fields as "CORELIGHT: serial_number".
product_code (integer - count)target.asset.attribute.labels [product_code]
revision (number - double)target.asset.attribute.labels [revision]
status (string)about.labels [status]
state (string)target.asset.attribute.labels [state]
device_ip (string - addr)target.asset.ip
+ +
+

Field mapping reference: CORELIGHT - etc_viz

+ +The following table lists the log fields of the etc_viz log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
server_a (string - addr)target.ip
server_p (integer - port)target.port
service (array[string] - set[string])target.applicationThe service log field is mapped to target.application UDM field when index value in service is equal to 0. +

For every other index value, target.labels.key UDM field is set to service and service log field is mapped to the target.labels.value.
viz_stat (string)about.labels [viz_stat]
c2s_viz.size (integer - count)network.sent_bytes
c2s_viz.enc_dev (number - double)about.labels [c2s_viz_enc_dev]
c2s_viz.enc_frac (number - double)about.labels [c2s_viz_enc_frac]
c2s_viz.pdu1_enc (boolean - bool)about.labels [c2s_viz_pdu1_enc]
c2s_viz.clr_frac (number - double)about.labels [c2s_viz_clr_frac]
c2s_viz.clr_ex (string)about.labels [c2s_viz_clr_ex]
s2c_viz.size (integer - count)network.received_bytes
s2c_viz.enc_dev (number - double)about.labels [s2c_viz_enc_dev]
s2c_viz.enc_frac (number - double)about.labels [s2c_viz_enc_frac]
s2c_viz.pdu1_enc (boolean - bool)about.labels [s2c_viz_pdu1_enc]
s2c_viz.clr_frac (number - double)about.labels [s2c_viz_clr_frac]
s2c_viz.clr_ex (string)about.labels [s2c_viz_clr_ex]
+ +
+

Field mapping reference: CORELIGHT - ftp

+ +The following table lists the log fields of the ftp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_FTP.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
user (string)principal.user.user_display_name
password (string)extensions.auth.auth_details
command (string), arg (string)network.ftp.commandThe network.ftp.command UDM field is set with command, arg log fields as "command arg".
mime_type (string)target.file.mime_type
file_size (integer - count)target.file.size
reply_code (integer - count)about.labels [reply_code]
reply_msg (string)about.labels [reply_msg]
data_channel.passive (boolean - bool)about.labels [data_channel_passive]
data_channel.orig_h (string - addr)principal.ip
data_channel.resp_h (string - addr)target.ip
data_channel.resp_p (integer - port)target.labels [data_channel_resp_p]
fuid (string)about.labels [fuid]
+ +
+

Field mapping reference: CORELIGHT - generic_dns_tunnels

+ +The following table lists the log fields of the generic_dns_tunnels log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
dns_client (string - addr)principal.ip
domain (string)network.dns_domain
domain (string)network.dns.questions.name
bytes (integer - int)about.labels [bytes]
capture_secs (number - interval)network.session_duration
+ +
+

Field mapping reference: CORELIGHT - generic_icmp_tunnels

+ +The following table lists the log fields of the generic_icmp_tunnels log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.ip_protocolThe network.ip_protocol UDM field is set to ICMP.
detection (string)security_result.detection_fields [detection]
orig (string - addr)principal.ip
resp (string - addr)target.ip
id (integer - count)about.labels [id]
seq (integer - count)about.labels [seq]
bytes (integer - count)about.labels [bytes]
payload_len (integer - count)about.labels [payload_len]
payload (string)about.labels [payload]
+ +
+

Field mapping reference: CORELIGHT - icmp_specific_tunnels

+ +The following table lists the log fields of the icmp_specific_tunnels log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.ip_protocolThe network.ip_protocol UDM field is set to ICMP.
start_time (time)about.labels [start_time]
duration (number - interval)network.session_duration
tunnel (string)intermediary.labels [tunnel]
seq (integer - count)about.labels [seq]
icmp_id (integer - count)about.labels [icmp_id]
payload (string)about.labels [payload]
+ +
+

Field mapping reference: CORELIGHT - ipsec

+ +The following table lists the log fields of the ipsec log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
initiator_spi (string)principal.labels [initiator_spi]
responder_spi (string)target.labels [responder_spi]
maj_ver (integer - count)about.labels [maj_ver]
min_ver (integer - count)about.labels [min_ver]
exchange_type (integer - count)about.labels [exchange_type]
flag_e (boolean - bool)about.labels [flag_e]
flag_c (boolean - bool)about.labels [flag_c]
flag_a (boolean - bool)about.labels [flag_a]
flag_i (boolean - bool)about.labels [flag_i]
flag_v (boolean - bool)about.labels [flag_v]
flag_r (boolean - bool)about.labels [flag_r]
message_id (integer - count)about.labels [message_id]
vendor_ids (array[string] - vector of string)about.labels [vendor_id]
notify_messages (array[string] - vector of string)about.labels [notify_message]
transforms (array[string] - vector of string)about.labels [transform]
ke_dh_groups (array[integer] - vector of count)about.labels [ke_dh_group]
proposals (array[integer] - vector of count)about.labels [proposal]
protocol_id (integer - count)about.labels [protocol_id]
certificates (array[string] - vector of string)about.labels [certificate]
transform_attributes (array[string] - vector of string)about.labels [transform_attribute]
length (integer - count)about.labels [length]
hash (string)about.labels [hash]
doi (integer - count)about.labels [doi]
situation (string)about.labels [situation]
is_orig (boolean - bool)additional.fields [is_orig]
+ +
+

Field mapping reference: CORELIGHT - profinet

+ +The following table lists the log fields of the profinet log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
operation_type (string)about.labels [operation_type]
block_version (string)about.labels [block_version]
slot_number (integer - count)about.labels [slot_number]
subslot_number (integer - count)about.labels [subslot_number]
index (string)about.labels [index]
+ +
+

Field mapping reference: CORELIGHT - profinet_dce_rpc

+ +The following table lists the log fields of the profinet_dce_rpc log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
network.application_protocolThe network.application_protocol UDM field is set to DCERPC.
version (integer - count)about.labels [version]
packet_type (integer - count)about.labels [packet_type]
object_uuid (string)about.labels [object_uuid]
interface_uuid (string)about.labels [interface_uuid]
activity_uuid (string)about.labels [activity_uuid]
server_boot_time (integer - count)about.labels [server_boot_time]
operation (string)about.labels [operation]
+ +
+

Field mapping reference: CORELIGHT - profinet_debug

+ +The following table lists the log fields of the profinet_debug log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
raw_data (string)about.labels [raw_data]
+ +
+

Field mapping reference: CORELIGHT - rfb

+ +The following table lists the log fields of the rfb log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
client_major_version (string)principal.labels [client_major_version]
client_minor_version (string)principal.labels [client_minor_version]
server_major_version (string)target.labels [server_major_version]
server_minor_version (string)target.labels [server_minor_version]
authentication_method (string)extension.auth.mechanismIf the authentication_method log field value is equal to VNC, then the extension.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_OTHER.
authentication_method (string)extension.auth.auth_details
auth (boolean - bool)security_result.actionIf the auth log field value is equal to true, then the security_result.action UDM field is set to ALLOW.

Else, the security_result.action UDM field is set to FAIL.
share_flag (boolean - bool)about.labels [share_flag]
desktop_name (string)principal.labels [desktop_name]
width (integer - count)principal.labels [width]
height (integer - count)principal.labels [height]
+ +
+

Field mapping reference: CORELIGHT - known_certs

+ +The following table lists the log fields of the known_certs log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
entity.resource.resource_subtypeThe entity.resource.resource_subtype UDM field is set to CERTIFICATE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
hash (string)entity.resource.attribute.labels [hash]
port (integer - port)entity.port
protocol (string - enum)entity.labels [protocol]
serial (string)entity.resource.attribute.labels [serial]
subject (string)entity.resource.attribute.labels [subject]
issuer_subject (string)entity.resource.attribute.labels [issuer_subject]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
port_num (integer - port)entity.port
+ +
+

Field mapping reference: CORELIGHT - known_devices

+ +The following table lists the log fields of the known_devices log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
ts (time)entity.asset.first_seen_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.asset.ip
mac (string)entity.asset.mac
vendor_mac (string)entity.asset.hardware.manufacturer
protocols (array[string] - set[string])entity.network.application_protocol
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
+ +
+

Field mapping reference: CORELIGHT - known_domains

+ +The following table lists the log fields of the known_domains log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to DOMAIN_NAME.
ts (time)metadata.interval.start_time
ts (time)entity.domain.first_seen_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
domain (string)entity.domain.name
protocols (array[string] - set[string])entity.network.application_protocol
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
+ +
+

Field mapping reference: CORELIGHT - known_hosts

+ +The following table lists the log fields of the known_hosts log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
conns_opened (integer - count)metadata.threat.detection_fields [conns_opened]
conns_closed (integer - count)metadata.threat.detection_fields [conns_closed]
conns_pending (integer - count)metadata.threat.detection_fields [conns_pending]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
ep.cid (string)additional.fields [ep_cid]
ep.criticality (string)entity.security_result.detection_fields[ep_criticality]
ep.desc (string)metadata.description
ep.os_version (string)entity.platform_version
ep.source (string)additional.fields [ep_source]
ep.status (string)additional.fields [ep_status]
ep.uid (string)additional.fields [ep_uid]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
+ +
+

Field mapping reference: CORELIGHT - known_names

+ +The following table lists the log fields of the known_names log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
hostname (string)entity.hostname
protocols (array[string] - set[string])entity.labels [protocol]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
+ +
+

Field mapping reference: CORELIGHT - known_remotes

+ +The following table lists the log fields of the known_remotes log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to IP_ADDRESS.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
+ +
+

Field mapping reference: CORELIGHT - known_services

+ +The following table lists the log fields of the known_services log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
port (integer - port)entity.port
protocol (string - enum)entity.network.application_protocol
service (array[string] - vector of string)entity.labels [service]
software (array[string] - set[string])entity.asset.software.name
app (array[string] - set[string])entity.applicationThe app log field is mapped to entity.application UDM field when index value in app is equal to 0. +

For every other index value, entity.labels.key UDM field is set to app and app log field is mapped to the entity.labels.value.
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
num_conns_complete (integer - count)entity.security_result.detection_fields[num_conns_complete]
num_conns_pending (integer - int)entity.security_result.detection_fields[num_conns_pending]
port_num (integer - port)entity.port
+ +
+

Field mapping reference: CORELIGHT - known_users

+ +The following table lists the log fields of the known_users log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
metadata.entity_typeThe metadata.entity_type UDM field is set to RESOURCE.
ts (time)metadata.interval.start_time
duration (number - interval)entity.labels [duration]
kuid (string)entity.labels [kuid]
host_ip (string - addr)entity.ip
remote_ip (string - addr)entity.ip
user (string)entity.user.user_display_name
protocol (string)entity.labels [protocol]
num_conns (integer - count)metadata.threat.detection_fields [num_conns]
annotations (array[string] - vector of string)metadata.threat.detection_fields [annotations]
last_active_session (string)entity.labels [last_active_session]
last_active_interval (number - interval)entity.labels [last_active_interval]
host_inner_vlan (integer - int)additional.fields [host_inner_vlan]
host_vlan (integer - int)additional.fields [host_vlan]
remote_inner_vlan (integer - int)additional.fields [remote_inner_vlan]
remote_vlan (integer - int)additional.fields [remote_vlan]
long_conns (integer - count)metadata.threat.detection_fields [long_conns]
+ +
+

Field mapping reference: CORELIGHT - s7comm

+ +The following table lists the log fields of the s7comm log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to Zeek.
rosctr (string)about.labels [rosctr]
parameter (array[string] - vector of string)about.labels [parameter]
item_count (integer - count)about.labels [item_count]
data_info (array[string] - vector of string)about.labels [data_info]
error_class (string)additional.fields [error_class]
error_code (string)additional.fields [error_code]
function_code (string)additional.fields [function_code]
function_name (string)additional.fields [function_name]
is_orig (boolean - bool)additional.fields [is_orig]
pdu_reference (integer - count)additional.fields [pdu_reference]
rosctr_code (integer - count)additional.fields [rosctr_code]
rosctr_name (string)additional.fields [rosctr_name]
subfunction_code (string)additional.fields [subfunction_code]
subfunction_name (string)additional.fields [subfunction_name]
+ +
+

Field mapping reference: CORELIGHT - smartpcap

+ +The following table lists the log fields of the smartpcap log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Smartpcap.
logstr (string)metadata.description
+ +
+

Field mapping reference: CORELIGHT - snmp

+ +The following table lists the log fields of the snmp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_UNCATEGORIZED.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
duration (number - interval)network.session_duration
version (string)network.application_protocol_version
community (string)about.labels [community]
get_requests (integer - count)about.labels [get_requests]
get_bulk_requests (integer - count)about.labels [get_bulk_requests]
get_responses (integer - count)about.labels [get_responses]
set_requests (integer - count)about.labels [set_requests]
display_string (string)about.labels [display_string]
up_since (time)target.asset.last_boot_time
+ +
+

Field mapping reference: CORELIGHT - socks

+ +The following table lists the log fields of the socks log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
version (integer - count)network.application_protocol_version
user (string)principal.user.userid
password (string)extensions.auth.auth_details
status (string)about.labels [status]
request.host (string - addr)target.ip
request.name (string)target.hostname
request_p (integer - port)target.labels [request_p]
bound.host (string - addr)intermediary.ip
bound.name (string)intermediary.hostname
bound_p (integer - port)intermediary.port
+ +
+

Field mapping reference: CORELIGHT - software

+ +The following table lists the log fields of the software log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
host (string - addr)target.asset.ip
host_p (integer - port)target.port
software_type (string - enum)target.asset.software.description
name (string)target.asset.software.name
version.major (integer - count)target.asset.software.version
version.minor (integer - count)target.asset.attribute.labels [version_minor]
version.minor2 (integer - count)target.asset.attribute.labels [version_minor2]
version.minor3 (integer - count)target.asset.attribute.labels [version_minor3]
version.addl (string)target.asset.attribute.labels [version_addl]
unparsed_version (string)target.asset.attribute.labels [unparsed_version]
+ +
+

Field mapping reference: CORELIGHT - specific_dns_tunnels

+ +The following table lists the log fields of the specific_dns_tunnels log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_DNS.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
network.application_protocolThe network.application_protocol UDM field is set to DNS.
trans_id (integer - count)network.dns.id
dns_client (string - addr)principal.ip
resolver (string - addr)target.ip
query (string)network.dns.questions.name
program (string - enum)principal.application
session_id (integer - count)about.labels[session_id]
detection (string)security_result.description
sods_id (integer - count)about.labels [sods_id]
+ +
+

Field mapping reference: CORELIGHT - stepping

+ +The following table lists the log fields of the stepping log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
dt (number - interval)about.labels [dt]
uid1 (string)about.labels [uid1]
uid2 (string)about.labels [uid2]
direct (boolean - bool)about.labels [direct]
client1_h (string - addr)principal.ip
client1_p (integer - port)principal.port
server1_h (string - addr)intermediary.ip
server1_p (integer - port)intermediary.port
client2_h (string - addr)intermediary.ip
client2_p (integer - port)intermediary.port
server2_h (string - addr)target.ip
server2_p (integer - port)target.port
+ +
+

Field mapping reference: CORELIGHT - stun

+ +The following table lists the log fields of the stun log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
proto (string - enum)network.ip_protocol
is_orig (boolean - bool)about.labels [is_orig]
trans_id (string)metadata.product_log_id
method (string)about.labels [method]
class (string)about.labels [class]
attr_types (array[string] - vector of string)about.labels.key
attr_vals (array[string] - vector of string)about.labels.value
+ +
+

Field mapping reference: CORELIGHT - stun_nat

+ +The following table lists the log fields of the stun_nat log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
proto (string - enum)network.ip_protocol
is_orig (boolean - bool)about.labels [is_orig]
wan_addrs (array[string] - vector of addr)principal.nat_ip
wan_ports (array[integer] - vector of count)principal.nat_portThe wan_ports log field is mapped to principal.nat_port UDM field when index value in wan_ports is equal to 0.

For every other index value, principal.labels.key UDM field is set to wan_port and wan_ports log field is mapped to the principal.labels.value. +
lan_addrs (array[string] - vector of addr)principal.ip
+ +
+

Field mapping reference: CORELIGHT - suricata_stats

+ +The following table lists the log fields of the suricata_stats log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to Suricata.
raw_mgmtabout.labels [raw_mgmt]
timestamp(time)metadata.event_timestamp
event_type(string)about.labels [event_type]
stats.uptime(integer)about.labels [stats_uptime]
stats.napa_total.pkts(integer)about.labels [stats_napa_total_pkts]
stats.napa_total.byte(integer)about.labels [stats_napa_total_byte]
stats.napa_total.overflow_drop_pkts(integer)about.labels [stats_napa_total_overflow_drop_pkts]
stats.napa_total.overflow_drop_byte(integer)about.labels [stats_napa_total_overflow_drop_byte]
stats.napa_dispatch_host.pkts(integer)about.labels [stats_napa_dispatch_host_pkts]
stats.napa_dispatch_host.byte(integer)about.labels [stats_napa_dispatch_host_byte]
stats.napa_dispatch_drop.pkts(integer)about.labels [stats_napa_dispatch_drop_pkts]
stats.napa_dispatch_drop.byte(integer)about.labels [stats_napa_dispatch_drop_byte]
stats.decoder.pkts(integer)about.labels [stats_decoder_pkts]
stats.decoder.bytes(integer)about.labels [stats_decoder_bytes]
stats.decoder.invalid(integer)about.labels [stats_decoder_invalid]
stats.decoder.ipv4(integer)about.labels [stats_decoder_ipv4]
stats.decoder.ipv6(integer)about.labels [stats_decoder_ipv6]
stats.decoder.ethernet(integer)about.labels [stats_decoder_ethernet]
stats.decoder.chdlc(integer)about.labels [stats_decoder_chdlc]
stats.decoder.raw(integer)about.labels [stats_decoder_raw]
stats.decoder.null(integer)about.labels [stats_decoder_null]
stats.decoder.sll(integer)about.labels [stats_decoder_sll]
stats.decoder.tcp(integer)about.labels [stats_decoder_tcp]
stats.decoder.udp(integer)about.labels [stats_decoder_udp]
stats.decoder.sctp(integer)about.labels [stats_decoder_sctp]
stats.decoder.icmpv4(integer)about.labels [stats_decoder_icmpv4]
stats.decoder.icmpv6(integer)about.labels [stats_decoder_icmpv6]
stats.decoder.ppp(integer)about.labels [stats_decoder_ppp]
stats.decoder.pppoe(integer)about.labels [stats_decoder_pppoe]
stats.decoder.geneve(integer)about.labels [stats_decoder_geneve]
stats.decoder.gre(integer)about.labels [stats_decoder_gre]
stats.decoder.vlan(integer)about.labels [stats_decoder_vlan]
stats.decoder.vlan_qinq(integer)about.labels [stats_decoder_vlan_qinq]
stats.decoder.vxlan(integer)about.labels [stats_decoder_vxlan]
stats.decoder.vntag(integer)about.labels [stats_decoder_vntag]
stats.decoder.ieee8021ah(integer)about.labels [stats_decoder_ieee8021ah]
stats.decoder.teredo(integer)about.labels [stats_decoder_teredo]
stats.decoder.ipv4_in_ipv6(integer)about.labels [stats_decoder_ipv4_in_ipv6]
stats.decoder.ipv6_in_ipv6(integer)about.labels [stats_decoder_ipv6_in_ipv6]
stats.decoder.mpls(integer)about.labels [stats_decoder_mpls]
stats.decoder.avg_pkt_size(integer)about.labels [stats_decoder_avg_pkt_size]
stats.decoder.max_pkt_size(integer)about.labels [stats_decoder_max_pkt_size]
stats.decoder.max_mac_addrs_src(integer)about.labels [stats_decoder_max_mac_addrs_src]
stats.decoder.max_mac_addrs_dst(integer)about.labels [stats_decoder_max_mac_addrs_dst]
stats.decoder.erspan(integer)about.labels [stats_decoder_erspan]
stats.decoder.event.ipv4.pkt_too_small(integer)about.labels [stats_decoder_event_ipv4_pkt_too_small]
stats.decoder.event.ipv4.hlen_too_small(integer)about.labels [stats_decoder_event_ipv4_hlen_too_small]
stats.decoder.event.ipv4.iplen_smaller_than_hlen(integer)about.labels [stats_decoder_event_ipv4_iplen_smaller_than_hlen]
stats.decoder.event.ipv4.trunc_pkt(integer)about.labels [stats_decoder_event_ipv4_trunc_pkt]
stats.decoder.event.ipv4.opt_invalid(integer)about.labels [stats_decoder_event_ipv4_opt_invalid]
stats.decoder.event.ipv4.opt_invalid_len(integer)about.labels [stats_decoder_event_ipv4_opt_invalid_len]
stats.decoder.event.ipv4.opt_malformed(integer)about.labels [stats_decoder_event_ipv4_opt_malformed]
stats.decoder.event.ipv4.opt_pad_required(integer)about.labels [stats_decoder_event_ipv4_opt_pad_required]
stats.decoder.event.ipv4.opt_eol_required(integer)about.labels [stats_decoder_event_ipv4_opt_eol_required]
stats.decoder.event.ipv4.opt_duplicate(integer)about.labels [stats_decoder_event_ipv4_opt_duplicate]
stats.decoder.event.ipv4.opt_unknown(integer)about.labels [stats_decoder_event_ipv4_opt_unknown]
stats.decoder.event.ipv4.wrong_ip_version(integer)about.labels [stats_decoder_event_ipv4_wrong_ip_version]
stats.decoder.event.ipv4.icmpv6(integer)about.labels [stats_decoder_event_ipv4_icmpv6]
stats.decoder.event.ipv4.frag_pkt_too_large(integer)about.labels [stats_decoder_event_ipv4_frag_pkt_too_large]
stats.decoder.event.ipv4.frag_overlap(integer)about.labels [stats_decoder_event_ipv4_frag_overlap]
stats.decoder.event.ipv4.frag_ignored(integer)about.labels [stats_decoder_event_ipv4_frag_ignored]
stats.decoder.event.icmpv4.pkt_too_small(integer)about.labels [stats_decoder_event_icmpv4_pkt_too_small]
stats.decoder.event.icmpv4.unknown_type(integer)about.labels [stats_decoder_event_icmpv4_unknown_type]
stats.decoder.event.icmpv4.unknown_code(integer)about.labels [stats_decoder_event_icmpv4_unknown_code]
stats.decoder.event.icmpv4.ipv4_trunc_pkt(integer)about.labels [stats_decoder_event_icmpv4_ipv4_trunc_pkt]
stats.decoder.event.icmpv4.ipv4_unknown_ver(integer)about.labels [stats_decoder_event_icmpv4_ipv4_unknown_ver]
stats.decoder.event.icmpv6.unknown_type(integer)about.labels [stats_decoder_event_icmpv6_unknown_type]
stats.decoder.event.icmpv6.unknown_code(integer)about.labels [stats_decoder_event_icmpv6_unknown_code]
stats.decoder.event.icmpv6.pkt_too_small(integer)about.labels [stats_decoder_event_icmpv6_pkt_too_small]
stats.decoder.event.icmpv6.ipv6_unknown_version(integer)about.labels [stats_decoder_event_icmpv6_ipv6_unknown_version]
stats.decoder.event.icmpv6.ipv6_trunc_pkt(integer)about.labels [stats_decoder_event_icmpv6_ipv6_trunc_pkt]
stats.decoder.event.icmpv6.mld_message_with_invalid_hl(integer)about.labels [stats_decoder_event_icmpv6_mld_message_with_invalid_hl]
stats.decoder.event.icmpv6.unassigned_type(integer)about.labels [stats_decoder_event_icmpv6_unassigned_type]
stats.decoder.event.icmpv6.experimentation_type(integer)about.labels [stats_decoder_event_icmpv6_experimentation_type]
stats.decoder.event.ipv6.pkt_too_small(integer)about.labels [stats_decoder_event_ipv6_pkt_too_small]
stats.decoder.event.ipv6.trunc_pkt(integer)about.labels [stats_decoder_event_ipv6_trunc_pkt]
stats.decoder.event.ipv6.trunc_exthdr(integer)about.labels [stats_decoder_event_ipv6_trunc_exthdr]
stats.decoder.event.ipv6.exthdr_dupl_fh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_fh]
stats.decoder.event.ipv6.exthdr_useless_fh(integer)about.labels [stats_decoder_event_ipv6_exthdr_useless_fh]
stats.decoder.event.ipv6.exthdr_dupl_rh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_rh]
stats.decoder.event.ipv6.exthdr_dupl_hh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_hh]
stats.decoder.event.ipv6.exthdr_dupl_dh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_dh]
stats.decoder.event.ipv6.exthdr_dupl_ah(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_ah]
stats.decoder.event.ipv6.exthdr_dupl_eh(integer)about.labels [stats_decoder_event_ipv6_exthdr_dupl_eh]
stats.decoder.event.ipv6.exthdr_invalid_optlen(integer)about.labels [stats_decoder_event_ipv6_exthdr_invalid_optlen]
stats.decoder.event.ipv6.wrong_ip_version(integer)about.labels [stats_decoder_event_ipv6_wrong_ip_version]
stats.decoder.event.ipv6.exthdr_ah_res_not_null(integer)about.labels [stats_decoder_event_ipv6_exthdr_ah_res_not_null]
stats.decoder.event.ipv6.hopopts_unknown_opt(integer)about.labels [stats_decoder_event_ipv6_hopopts_unknown_opt]
stats.decoder.event.ipv6.hopopts_only_padding(integer)about.labels [stats_decoder_event_ipv6_hopopts_only_padding]
stats.decoder.event.ipv6.dstopts_unknown_opt(integer)about.labels [stats_decoder_event_ipv6_dstopts_unknown_opt]
stats.decoder.event.ipv6.dstopts_only_padding(integer)about.labels [stats_decoder_event_ipv6_dstopts_only_padding]
stats.decoder.event.ipv6.rh_type_0(integer)about.labels [stats_decoder_event_ipv6_rh_type_0]
stats.decoder.event.ipv6.zero_len_padn(integer)about.labels [stats_decoder_event_ipv6_zero_len_padn]
stats.decoder.event.ipv6.fh_non_zero_reserved_field(integer)about.labels [stats_decoder_event_ipv6_fh_non_zero_reserved_field]
stats.decoder.event.ipv6.data_after_none_header(integer)about.labels [stats_decoder_event_ipv6_data_after_none_header]
stats.decoder.event.ipv6.unknown_next_header(integer)about.labels [stats_decoder_event_ipv6_unknown_next_header]
stats.decoder.event.ipv6.icmpv4(integer)about.labels [stats_decoder_event_ipv6_icmpv4]
stats.decoder.event.ipv6.frag_pkt_too_large(integer)about.labels [stats_decoder_event_ipv6_frag_pkt_too_large]
stats.decoder.event.ipv6.frag_overlap(integer)about.labels [stats_decoder_event_ipv6_frag_overlap]
stats.decoder.event.ipv6.frag_invalid_length(integer)about.labels [stats_decoder_event_ipv6_frag_invalid_length]
stats.decoder.event.ipv6.frag_ignored(integer)about.labels [stats_decoder_event_ipv6_frag_ignored]
stats.decoder.event.ipv6.ipv4_in_ipv6_too_small(integer)about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version(integer)about.labels [stats_decoder_event_ipv6_ipv4_in_ipv6_wrong_version]
stats.decoder.event.ipv6.ipv6_in_ipv6_too_small(integer)about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_too_small]
stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version(integer)about.labels [stats_decoder_event_ipv6_ipv6_in_ipv6_wrong_version]
stats.decoder.event.tcp.pkt_too_small(integer)about.labels [stats_decoder_event_tcp_pkt_too_small]
stats.decoder.event.tcp.hlen_too_small(integer)about.labels [stats_decoder_event_tcp_hlen_too_small]
stats.decoder.event.tcp.invalid_optlen(integer)about.labels [stats_decoder_event_tcp_invalid_optlen]
stats.decoder.event.tcp.opt_invalid_len(integer)about.labels [stats_decoder_event_tcp_opt_invalid_len]
stats.decoder.event.tcp.opt_duplicate(integer)about.labels [stats_decoder_event_tcp_opt_duplicate]
stats.decoder.event.udp.pkt_too_small(integer)about.labels [stats_decoder_event_udp_pkt_too_small]
stats.decoder.event.udp.hlen_too_small(integer)about.labels [stats_decoder_event_udp_hlen_too_small]
stats.decoder.event.udp.hlen_invalid(integer)about.labels [stats_decoder_event_udp_hlen_invalid]
stats.decoder.event.udp.len_invalid(integer)about.labels [stats_decoder_event_udp_len_invalid]
stats.decoder.event.sll.pkt_too_small(integer)about.labels [stats_decoder_event_sll_pkt_too_small]
stats.decoder.event.ethernet.pkt_too_small(integer)about.labels [stats_decoder_event_ethernet_pkt_too_small]
stats.decoder.event.ppp.pkt_too_small(integer)about.labels [stats_decoder_event_ppp_pkt_too_small]
stats.decoder.event.ppp.vju_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_vju_pkt_too_small]
stats.decoder.event.ppp.ip4_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_ip4_pkt_too_small]
stats.decoder.event.ppp.ip6_pkt_too_small(integer)about.labels [stats_decoder_event_ppp_ip6_pkt_too_small]
stats.decoder.event.ppp.wrong_type(integer)about.labels [stats_decoder_event_ppp_wrong_type]
stats.decoder.event.ppp.unsup_proto(integer)about.labels [stats_decoder_event_ppp_unsup_proto]
stats.decoder.event.pppoe.pkt_too_small(integer)about.labels [stats_decoder_event_pppoe_pkt_too_small]
stats.decoder.event.pppoe.wrong_code(integer)about.labels [stats_decoder_event_pppoe_wrong_code]
stats.decoder.event.pppoe.malformed_tags(integer)about.labels [stats_decoder_event_pppoe_malformed_tags]
stats.decoder.event.gre.pkt_too_small(integer)about.labels [stats_decoder_event_gre_pkt_too_small]
stats.decoder.event.gre.wrong_version(integer)about.labels [stats_decoder_event_gre_wrong_version]
stats.decoder.event.gre.version0_recur(integer)about.labels [stats_decoder_event_gre_version0_recur]
stats.decoder.event.gre.version0_flags(integer)about.labels [stats_decoder_event_gre_version0_flags]
stats.decoder.event.gre.version0_hdr_too_big(integer)about.labels [stats_decoder_event_gre_version0_hdr_too_big]
stats.decoder.event.gre.version0_malformed_sre_hdr(integer)about.labels [stats_decoder_event_gre_version0_malformed_sre_hdr]
stats.decoder.event.gre.version1_chksum(integer)about.labels [stats_decoder_event_gre_version1_chksum]
stats.decoder.event.gre.version1_route(integer)about.labels [stats_decoder_event_gre_version1_route]
stats.decoder.event.gre.version1_ssr(integer)about.labels [stats_decoder_event_gre_version1_ssr]
stats.decoder.event.gre.version1_recur(integer)about.labels [stats_decoder_event_gre_version1_recur]
stats.decoder.event.gre.version1_flags(integer)about.labels [stats_decoder_event_gre_version1_flags]
stats.decoder.event.gre.version1_no_key(integer)about.labels [stats_decoder_event_gre_version1_no_key]
stats.decoder.event.gre.version1_wrong_protocol(integer)about.labels [stats_decoder_event_gre_version1_wrong_protocol]
stats.decoder.event.gre.version1_malformed_sre_hdr(integer)about.labels [stats_decoder_event_gre_version1_malformed_sre_hdr]
stats.decoder.event.gre.version1_hdr_too_big(integer)about.labels [stats_decoder_event_gre_version1_hdr_too_big]
stats.decoder.event.vlan.header_too_small(integer)about.labels [stats_decoder_event_vlan_header_too_small]
stats.decoder.event.vlan.unknown_type(integer)about.labels [stats_decoder_event_vlan_unknown_type]
stats.decoder.event.vlan.too_many_layers(integer)about.labels [stats_decoder_event_vlan_too_many_layers]
stats.decoder.event.ieee8021ah.header_too_small(integer)about.labels [stats_decoder_event_ieee8021ah_header_too_small]
stats.decoder.event.vntag.header_too_small(integer)about.labels [stats_decoder_event_vntag_header_too_small]
stats.decoder.event.vntag.unknown_type(integer)about.labels [stats_decoder_event_vntag_unknown_type]
stats.decoder.event.ipraw.invalid_ip_version(integer)about.labels [stats_decoder_event_ipraw_invalid_ip_version]
stats.decoder.event.ltnull.pkt_too_small(integer)about.labels [stats_decoder_event_ltnull_pkt_too_small]
stats.decoder.event.ltnull.unsupported_type(integer)about.labels [stats_decoder_event_ltnull_unsupported_type]
stats.decoder.event.sctp.pkt_too_small(integer)about.labels [stats_decoder_event_sctp_pkt_too_small]
stats.decoder.event.mpls.header_too_small(integer)about.labels [stats_decoder_event_mpls_header_too_small]
stats.decoder.event.mpls.pkt_too_small(integer)about.labels [stats_decoder_event_mpls_pkt_too_small]
stats.decoder.event.mpls.bad_label_router_alert(integer)about.labels [stats_decoder_event_mpls_bad_label_router_alert]
stats.decoder.event.mpls.bad_label_implicit_null(integer)about.labels [stats_decoder_event_mpls_bad_label_implicit_null]
stats.decoder.event.mpls.bad_label_reserved(integer)about.labels [stats_decoder_event_mpls_bad_label_reserved]
stats.decoder.event.mpls.unknown_payload_type(integer)about.labels [stats_decoder_event_mpls_unknown_payload_type]
stats.decoder.event.vxlan.unknown_payload_type(integer)about.labels [stats_decoder_event_vxlan_unknown_payload_type]
stats.decoder.event.geneve.unknown_payload_type(integer)about.labels [stats_decoder_event_geneve_unknown_payload_type]
stats.decoder.event.erspan.header_too_small(integer)about.labels [stats_decoder_event_erspan_header_too_small]
stats.decoder.event.erspan.unsupported_version(integer)about.labels [stats_decoder_event_erspan_unsupported_version]
stats.decoder.event.erspan.too_many_vlan_layers(integer)about.labels [stats_decoder_event_erspan_too_many_vlan_layers]
stats.decoder.event.dce.pkt_too_small(integer)about.labels [stats_decoder_event_dce_pkt_too_small]
stats.decoder.event.chdlc.pkt_too_small(integer)about.labels [stats_decoder_event_chdlc_pkt_too_small]
stats.decoder.too_many_layers(integer)about.labels [stats_decoder_too_many_layers]
stats.flow.memcap(integer)about.labels [stats_flow_memcap]
stats.flow.tcp(integer)about.labels [stats_flow_tcp]
stats.flow.udp(integer)about.labels [stats_flow_udp]
stats.flow.icmpv4(integer)about.labels [stats_flow_icmpv4]
stats.flow.icmpv6(integer)about.labels [stats_flow_icmpv6]
stats.flow.tcp_reuse(integer)about.labels [stats_flow_tcp_reuse]
stats.flow.get_used(integer)about.labels [stats_flow_get_used]
stats.flow.get_used_eval(integer)about.labels [stats_flow_get_used_eval]
stats.flow.get_used_eval_reject(integer)about.labels [stats_flow_get_used_eval_reject]
stats.flow.get_used_eval_busy(integer)about.labels [stats_flow_get_used_eval_busy]
stats.flow.get_used_failed(integer)about.labels [stats_flow_get_used_failed]
stats.flow.wrk.spare_sync_avg(integer)about.labels [stats_flow_wrk_spare_sync_avg]
stats.flow.wrk.spare_sync(integer)about.labels [stats_flow_wrk_spare_sync]
stats.flow.wrk.spare_sync_incomplete(integer)about.labels [stats_flow_wrk_spare_sync_incomplete]
stats.flow.wrk.spare_sync_empty(integer)about.labels [stats_flow_wrk_spare_sync_empty]
stats.flow.wrk.flows_evicted_needs_work(integer)about.labels [stats_flow_wrk_flows_evicted_needs_work]
stats.flow.wrk.flows_evicted_pkt_inject(integer)about.labels [stats_flow_wrk_flows_evicted_pkt_inject]
stats.flow.wrk.flows_evicted(integer)about.labels [stats_flow_wrk_flows_evicted]
stats.flow.wrk.flows_injected(integer)about.labels [stats_flow_wrk_flows_injected]
stats.flow.mgr.full_hash_pass(integer)about.labels [stats_flow_mgr_full_hash_pass]
stats.flow.mgr.closed_pruned(integer)about.labels [stats_flow_mgr_closed_pruned]
stats.flow.mgr.new_pruned(integer)about.labels [stats_flow_mgr_new_pruned]
stats.flow.mgr.est_pruned(integer)about.labels [stats_flow_mgr_est_pruned]
stats.flow.mgr.bypassed_pruned(integer)about.labels [stats_flow_mgr_bypassed_pruned]
stats.flow.mgr.rows_maxlen(integer)about.labels [stats_flow_mgr_rows_maxlen]
stats.flow.mgr.flows_checked(integer)about.labels [stats_flow_mgr_flows_checked]
stats.flow.mgr.flows_notimeout(integer)about.labels [stats_flow_mgr_flows_notimeout]
stats.flow.mgr.flows_timeout(integer)about.labels [stats_flow_mgr_flows_timeout]
stats.flow.mgr.flows_timeout_inuse(integer)about.labels [stats_flow_mgr_flows_timeout_inuse]
stats.flow.mgr.flows_evicted(integer)about.labels [stats_flow_mgr_flows_evicted]
stats.flow.mgr.flows_evicted_needs_work(integer)about.labels [stats_flow_mgr_flows_evicted_needs_work]
stats.flow.spare(integer)about.labels [stats_flow_spare]
stats.flow.emerg_mode_entered(integer)about.labels [stats_flow_emerg_mode_entered]
stats.flow.emerg_mode_over(integer)about.labels [stats_flow_emerg_mode_over]
stats.flow.memuse(integer)about.labels [stats_flow_memuse]
stats.defrag.ipv4.fragments(integer)about.labels [stats_defrag_ipv4_fragments]
stats.defrag.ipv4.reassembled(integer)about.labels [stats_defrag_ipv4_reassembled]
stats.defrag.ipv4.timeouts(integer)about.labels [stats_defrag_ipv4_timeouts]
stats.defrag.ipv6.fragments(integer)about.labels [stats_defrag_ipv6_fragments]
stats.defrag.ipv6.reassembled(integer)about.labels [stats_defrag_ipv6_reassembled]
stats.defrag.ipv6.timeouts(integer)about.labels [stats_defrag_ipv6_timeouts]
stats.defrag.max_frag_hits(integer)about.labels [stats_defrag_max_frag_hits]
stats.flow_bypassed.local_pkts(integer)about.labels [stats_flow_bypassed_local_pkts]
stats.flow_bypassed.local_bytes(integer)about.labels [stats_flow_bypassed_local_bytes]
stats.flow_bypassed.local_capture_pkts(integer)about.labels [stats_flow_bypassed_local_capture_pkts]
stats.flow_bypassed.local_capture_bytes(integer)about.labels [stats_flow_bypassed_local_capture_bytes]
stats.flow_bypassed.closed(integer)about.labels [stats_flow_bypassed_closed]
stats.flow_bypassed.pkts(integer)about.labels [stats_flow_bypassed_pkts]
stats.flow_bypassed.bytes(integer)about.labels [stats_flow_bypassed_bytes]
stats.tcp.sessions(integer)about.labels [stats_tcp_sessions]
stats.tcp.ssn_memcap_drop(integer)about.labels [stats_tcp_ssn_memcap_drop]
stats.tcp.pseudo(integer)about.labels [stats_tcp_pseudo]
stats.tcp.pseudo_failed(integer)about.labels [stats_tcp_pseudo_failed]
stats.tcp.invalid_checksum(integer)about.labels [stats_tcp_invalid_checksum]
stats.tcp.no_flow(integer)about.labels [stats_tcp_no_flow]
stats.tcp.syn(integer)about.labels [stats_tcp_syn]
stats.tcp.synack(integer)about.labels [stats_tcp_synack]
stats.tcp.rst(integer)about.labels [stats_tcp_rst]
stats.tcp.midstream_pickups(integer)about.labels [stats_tcp_midstream_pickups]
stats.tcp.pkt_on_wrong_thread(integer)about.labels [stats_tcp_pkt_on_wrong_thread]
stats.tcp.segment_memcap_drop(integer)about.labels [stats_tcp_segment_memcap_drop]
stats.tcp.stream_depth_reached(integer)about.labels [stats_tcp_stream_depth_reached]
stats.tcp.reassembly_gap(integer)about.labels [stats_tcp_reassembly_gap]
stats.tcp.overlap(integer)about.labels [stats_tcp_overlap]
stats.tcp.overlap_diff_data(integer)about.labels [stats_tcp_overlap_diff_data]
stats.tcp.insert_data_normal_fail(integer)about.labels [stats_tcp_insert_data_normal_fail]
stats.tcp.insert_data_overlap_fail(integer)about.labels [stats_tcp_insert_data_overlap_fail]
stats.tcp.insert_list_fail(integer)about.labels [stats_tcp_insert_list_fail]
stats.tcp.memuse(integer)about.labels [stats_tcp_memuse]
stats.tcp.reassembly_memuse(integer)about.labels [stats_tcp_reassembly_memuse]
stats.detect.engines.id(array)about.labels [stats_detect_engines_id]
stats.detect.engines.last_reload(array)about.labels [stats_detect_engines_last_reload]
stats.detect.engines.rules_loaded(array)about.labels [stats_detect_engines_rules_loaded]
stats.detect.engines.rules_failed(array)about.labels [stats_detect_engines_rules_failed]
stats.detect.alert(integer)about.labels [stats_detect_alert]
stats.detect.alert_queue_overflow(integer)about.labels [stats_detect_alert_queue_overflow]
stats.detect.alerts_suppressed(integer)about.labels [stats_detect_alerts_suppressed]
stats.app_layer.flow.http(integer)about.labels [stats_app_layer_flow_http]
stats.app_layer.flow.ftp(integer)about.labels [stats_app_layer_flow_ftp]
stats.app_layer.flow.smtp(integer)about.labels [stats_app_layer_flow_smtp]
stats.app_layer.flow.tls(integer)about.labels [stats_app_layer_flow_tls]
stats.app_layer.flow.ssh(integer)about.labels [stats_app_layer_flow_ssh]
stats.app_layer.flow.imap(integer)about.labels [stats_app_layer_flow_imap]
stats.app_layer.flow.smb(integer)about.labels [stats_app_layer_flow_smb]
stats.app_layer.flow.dcerpc_tcp(integer)about.labels [stats_app_layer_flow_dcerpc_tcp]
stats.app_layer.flow.dns_tcp(integer)about.labels [stats_app_layer_flow_dns_tcp]
stats.app_layer.flow.nfs_tcp(integer)about.labels [stats_app_layer_flow_nfs_tcp]
stats.app_layer.flow.ntp(integer)about.labels [stats_app_layer_flow_ntp]
stats.app_layer.flow.ftp-data(integer)about.labels [stats_app_layer_flow_ftp-data]
stats.app_layer.flow.tftp(integer)about.labels [stats_app_layer_flow_tftp]
stats.app_layer.flow.ikev2(integer)about.labels [stats_app_layer_flow_ikev2]
stats.app_layer.flow.krb5_tcp(integer)about.labels [stats_app_layer_flow_krb5_tcp]
stats.app_layer.flow.dhcp(integer)about.labels [stats_app_layer_flow_dhcp]
stats.app_layer.flow.rfb(integer)about.labels [stats_app_layer_flow_rfb]
stats.app_layer.flow.rdp(integer)about.labels [stats_app_layer_flow_rdp]
stats.app_layer.flow.failed_tcp(integer)about.labels [stats_app_layer_flow_failed_tcp]
stats.app_layer.flow.dcerpc_udp(integer)about.labels [stats_app_layer_flow_dcerpc_udp]
stats.app_layer.flow.dns_udp(integer)about.labels [stats_app_layer_flow_dns_udp]
stats.app_layer.flow.nfs_udp(integer)about.labels [stats_app_layer_flow_nfs_udp]
stats.app_layer.flow.krb5_udp(integer)about.labels [stats_app_layer_flow_krb5_udp]
stats.app_layer.flow.failed_udp(integer)about.labels [stats_app_layer_flow_failed_udp]
stats.app_layer.tx.http(integer)about.labels [stats_app_layer_tx_http]
stats.app_layer.tx.ftp(integer)about.labels [stats_app_layer_tx_ftp]
stats.app_layer.tx.smtp(integer)about.labels [stats_app_layer_tx_smtp]
stats.app_layer.tx.tls(integer)about.labels [stats_app_layer_tx_tls]
stats.app_layer.tx.ssh(integer)about.labels [stats_app_layer_tx_ssh]
stats.app_layer.tx.imap(integer)about.labels [stats_app_layer_tx_imap]
stats.app_layer.tx.smb(integer)about.labels [stats_app_layer_tx_smb]
stats.app_layer.tx.dcerpc_tcp(integer)about.labels [stats_app_layer_tx_dcerpc_tcp]
stats.app_layer.tx.dns_tcp(integer)about.labels [stats_app_layer_tx_dns_tcp]
stats.app_layer.tx.nfs_tcp(integer)about.labels [stats_app_layer_tx_nfs_tcp]
stats.app_layer.tx.ntp(integer)about.labels [stats_app_layer_tx_ntp]
stats.app_layer.tx.ftp-data(integer)about.labels [stats_app_layer_tx_ftp-data]
stats.app_layer.tx.tftp(integer)about.labels [stats_app_layer_tx_tftp]
stats.app_layer.tx.ikev2(integer)about.labels [stats_app_layer_tx_ikev2]
stats.app_layer.tx.krb5_tcp(integer)about.labels [stats_app_layer_tx_krb5_tcp]
stats.app_layer.tx.dhcp(integer)about.labels [stats_app_layer_tx_dhcp]
stats.app_layer.tx.rfb(integer)about.labels [stats_app_layer_tx_rfb]
stats.app_layer.tx.rdp(integer)about.labels [stats_app_layer_tx_rdp]
stats.app_layer.tx.dcerpc_udp(integer)about.labels [stats_app_layer_tx_dcerpc_udp]
stats.app_layer.tx.dns_udp(integer)about.labels [stats_app_layer_tx_dns_udp]
stats.app_layer.tx.nfs_udp(integer)about.labels [stats_app_layer_tx_nfs_udp]
stats.app_layer.tx.krb5_udp(integer)about.labels [stats_app_layer_tx_krb5_udp]
stats.app_layer.expectations(integer)about.labels [stats_app_layer_expectations]
stats.http.memuse(integer)about.labels [stats_http_memuse]
stats.http.memcap(integer)about.labels [stats_http_memcap]
stats.ftp.memuse(integer)about.labels [stats_ftp_memuse]
stats.ftp.memcap(integer)about.labels [stats_ftp_memcap]
+ +
+

Field mapping reference: CORELIGHT - logschema

+ +The following table lists the log fields of the logschema log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
name(string)about.labels [name]
text(string)about.labels [text]
schema(string)about.labels [schema]
avro(string)about.labels [avro]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_bro

+ +The following table lists the log fields of the corelight_metrics_bro log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
logs.conn.entries.per-second (integer)about.labels [logs_conn_entries_per_second]
logs.dce_rpc.entries.per-second (integer)about.labels [logs_dce_rpc_entries_per_second]
logs.dhcp.entries.per-second (integer)about.labels [logs_dhcp_entries_per_second]
logs.dnp3.entries.per-second (integer)about.labels [logs_dnp3_entries_per_second]
logs.dns.entries.per-second (integer)about.labels [logs_dns_entries_per_second]
logs.dpd.entries.per-second (integer)about.labels [logs_dpd_entries_per_second]
logs.files.entries.per-second (integer)about.labels [logs_files_entries_per_second]
logs.ftp.entries.per-second (integer)about.labels [logs_ftp_entries_per_second]
logs.http.entries.per-second (integer)about.labels [logs_http_entries_per_second]
logs.irc.entries.per-second (integer)about.labels [logs_irc_entries_per_second]
logs.kerberos.entries.per-second (integer)about.labels [logs_kerberos_entries_per_second]
logs.modbus.entries.per-second (integer)about.labels [logs_modbus_entries_per_second]
logs.mysql.entries.per-second (integer)about.labels [logs_mysql_entries_per_second]
logs.ntlm.entries.per-second (integer)about.labels [logs_ntlm_entries_per_second]
logs.pe.entries.per-second (integer)about.labels [logs_pe_entries_per_second]
logs.radius.entries.per-second (integer)about.labels [logs_radius_entries_per_second]
logs.rdp.entries.per-second (integer)about.labels [logs_rdp_entries_per_second]
logs.rfb.entries.per-second (integer)about.labels [logs_rfb_entries_per_second]
logs.sip.entries.per-second (integer)about.labels [logs_sip_entries_per_second]
logs.smb_files.entries.per-second (integer)about.labels [logs_smb_files_entries_per_second]
logs.smb_mapping.entries.per-second (integer)about.labels [logs_smb_mapping_entries_per_second]
logs.smtp.entries.per-second (integer)about.labels [logs_smtp_entries_per_second]
logs.snmp.entries.per-second (integer)about.labels [logs_snmp_entries_per_second]
logs.socks.entries.per-second (integer)about.labels [logs_socks_entries_per_second]
logs.software.entries.per-second (integer)about.labels [logs_software_entries_per_second]
logs.ssh.entries.per-second (integer)about.labels [logs_ssh_entries_per_second]
logs.ssl.entries.per-second (integer)about.labels [logs_ssl_entries_per_second]
logs.syslog.entries.per-second (integer)about.labels [logs_syslog_entries_per_second]
logs.traceroute.entries.per-second (integer)about.labels [logs_traceroute_entries_per_second]
logs.tunnel.entries.per-second (integer)about.labels [logs_tunnel_entries_per_second]
logs.weird.entries.per-second (integer)about.labels [logs_weird_entries_per_second]
logs.x509.entries.per-second (integer)about.labels [logs_x509_entries_per_second]
files.per-minute (integer)about.labels [files_per_minute]
files.queued.s3 (integer)about.labels [files_queued_s3]
files.queued.sftp (integer)about.labels [files_queued_sftp]
files.total (integer)about.labels [files_total]
logs.splunk_export.lag (integer)about.labels [logs_splunk_export_lag]
logs.syslog_export.lag (integer)about.labels [logs_syslog_export_lag]
logs.json_export.lag (integer)about.labels [logs_json_export_lag]
logs.kafka_export.lag (integer)about.labels [logs_kafka_export_lag]
logs.investigator_export.lag (integer)about.labels [logs_investigator_export_lag]
logs.kinesis_export.lag (integer)about.labels [logs_kinesis_export_lag]
logs.hec_export.lag (integer)about.labels [logs_hec_export_lag]
logs.elasticsearch_export.lag (integer)about.labels [logs_elasticsearch_export_lag]
cpu (integer)about.labels [cpu]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_iface

+ +The following table lists the log fields of the corelight_metrics_iface log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
monitor.total.kpps (integer)about.labels [monitor_total_kpps]
monitor.total.drops.kpps (integer)about.labels [monitor_total_drops_kpps]
monitor.total.mbps (integer)about.labels [monitor_total_mbps]
mgmt.in.bytes.mbps (integer)about.labels [mgmt_in_bytes_mbps]
mgmt.out.bytes.mbps (integer)about.labels [mgmt_out_bytes_mbps]
mgmt.in.packets.kpps (integer)about.labels [mgmt_in_packets_kpps]
mgmt.out.packets.kpps (integer)about.labels [mgmt_out_packets_kpps]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_system

+ +The following table lists the log fields of the corelight_metrics_system log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
cpu.1.temprature (integer)about.labels [cpu_1_temprature]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_memory

+ +The following table lists the log fields of the corelight_metrics_memory log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage (integer)about.labels [usage]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_disk

+ +The following table lists the log fields of the corelight_metrics_disk log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
usage.data (integer)about.labels [usage_data]
usage.os (integer)about.labels [usage_os]
+ +
+ +

Field mapping reference: CORELIGHT - corelight_metrics_zeek_doctor

+ +The following table lists the log fields of the corelight_metrics_zeek_doctor log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
metadata.product_nameThe metadata.product_name UDM field is set to zeek.
check.bursty.percent (integer)about.labels [check_bursty_percent]
check.dns_half_duplex_orig.percent (integer)about.labels [check_dns_half_duplex_orig_percent]
check.dns_half_duplex_resp.percent (integer)about.labels [check_dns_half_duplex_resp_percent]
check.local_to_local.percent (integer)about.labels [check_local_to_local_percent]
check.remote_to_remote.percent (integer)about.labels [check_remote_to_remote_percent]
check.tcp_backscatter.percent (integer)about.labels [check_tcp_backscatter_percent]
check.tcp_byte_counts_wrong.percent (integer)about.labels [check_tcp_byte_counts_wrong_percent]
check.tcp_half_duplex.percent (integer)about.labels [check_tcp_half_duplex_percent]
check.tcp_missed_bytes.percent (integer)about.labels [check_tcp_missed_bytes_percent]
check.tcp_no_ssl_on_443.percent (integer)about.labels [check_tcp_no_ssl_on_443_percent]
check.tcp_no_three_way_handshake.percent (integer)about.labels [check_tcp_no_three_way_handshake_percent]
check.tcp_retransmissions.percent (integer)about.labels [check_tcp_retransmissions_percent]
check.tcp_scan.percent (integer)about.labels [check_tcp_scan_percent]
+ +
+

Field mapping reference: CORELIGHT - analyzer

+ +The following table lists the log fields of the analyzer log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
cause (string)metadata.description
analyzer_kind (string)additional.fields[analyzer_kind]
analyzer_name (string)additional.fields[analyzer_name]
fuid (string)additional.fields[fuid]
failure_reason (string)security_result.summary
failure_data (string)security_result.description
metadata.event_typeThe metadata.event_type UDM field is set to SCAN_UNCATEGORIZED.
+ +
+

Field mapping reference: CORELIGHT - anomaly

+ +The following table lists the log fields of the anomaly log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
use_case (string)security_result.rule_name
use_case_description (string)security_result.description
entity (string)additional.fields[entity]
original_entity (string)additional.fields[original_entity]
entity_training_items (array[string] - vector of string)additional.fields[entity_training_item]Iterate through log field entity_training_items, then
entity_training_item_%{index} log field is mapped to the additional.fields.key UDM field and entity_training_item log field is mapped to the additional.fields.value UDM field.
item (string)security_result.detection_fields[item]
item_score (number - double)security_result.detection_fields[item_score]
item_assoc_entities (array[string] - vector of string)security_result.detection_fields[item_assoc_entities]Iterate through log field item_assoc_entities, then
item_assoc_entities_%{index} log field is mapped to the security_result.detection_fields.key UDM field and item_assoc_entities log field is mapped to the security_result.detection_fields.value UDM field.
item_assoc_entities_similarity (array[number] - vector of double)security_result.detection_fields[item_assoc_entities_similarity]Iterate through log field item_assoc_entities_similarity, then
item_assoc_entities_similarity_%{index} log field is mapped to the security_result.detection_fields.key UDM field and item_assoc_entities_similarity log field is mapped to the security_result.detection_fields.value UDM field.
ignorable (boolean - bool)security_result.detection_fields[ignorable]
history_days (integer - count)security_result.detection_fields[history_days]
history (number - interval)security_result.detection_fields[history]
nn1_entities (array[string] - vector of string)additional.fields[nn1_entities]Iterate through log field nn1_entities, then
nn1_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn1_entities log field is mapped to the additional.fields.value UDM field.
nn1_entity_similarity (number - double)additional.fields[nn1_entity_similarity]
nn1_train_items (array[string] - vector of string)additional.fields[nn1_train_item]Iterate through log field nn1_train_items, then
nn1_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn1_train_items log field is mapped to the additional.fields.value UDM field.
nn1_pred_items (array[string] - set[string])additional.fields[nn1_pred_item]Iterate through log field nn1_pred_items, then
nn1_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn1_pred_items log field is mapped to the additional.fields.value UDM field.
nn2_entities (array[string] - vector of string)additional.fields[nn2_entities]Iterate through log field nn2_entities, then
nn2_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn2_entities log field is mapped to the additional.fields.value UDM field.
nn2_entity_similarity (number - double)additional.fields[nn2_entity_similarity]
nn2_train_items (array[string] - vector of string)additional.fields[nn2_train_item]Iterate through log field nn2_train_items, then
nn2_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn2_train_items log field is mapped to the additional.fields.value UDM field.
nn2_pred_items (array[string] - set[string])additional.fields[nn2_pred_item]Iterate through log field nn2_pred_items, then
nn2_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn2_pred_items log field is mapped to the additional.fields.value UDM field.
nn3_entities (array[string] - vector of string)additional.fields[nn3_entities]Iterate through log field nn3_entities, then
nn3_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn3_entities log field is mapped to the additional.fields.value UDM field.
nn3_entity_similarity (number - double)additional.fields[nn3_entity_similarity]
nn3_train_items (array[string] - vector of string)additional.fields[nn3_train_item]Iterate through log field nn3_train_items, then
nn3_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn3_train_items log field is mapped to the additional.fields.value UDM field.
nn3_pred_items (array[string] - set[string])additional.fields[nn3_pred_item]Iterate through log field nn3_pred_items, then
nn3_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn3_pred_items log field is mapped to the additional.fields.value UDM field.
nn4_entities (array[string] - vector of string)additional.fields[nn4_entities]Iterate through log field nn4_entities, then
nn4_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn4_entities log field is mapped to the additional.fields.value UDM field.
nn4_entity_similarity (number - double)additional.fields[nn4_entity_similarity]
nn4_train_items (array[string] - vector of string)additional.fields[nn4_train_item]Iterate through log field nn4_train_items, then
nn4_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn4_train_items log field is mapped to the additional.fields.value UDM field.
nn4_pred_items (array[string] - set[string])additional.fields[nn4_pred_item]Iterate through log field nn4_pred_items, then
nn4_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn4_pred_items log field is mapped to the additional.fields.value UDM field.
nn5_entities (array[string] - vector of string)additional.fields[nn5_entities]Iterate through log field nn5_entities, then
nn5_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn5_entities log field is mapped to the additional.fields.value UDM field.
nn5_entity_similarity (number - double)additional.fields[nn5_entity_similarity]
nn5_train_items (array[string] - vector of string)additional.fields[nn5_train_item]Iterate through log field nn5_train_items, then
nn5_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn5_train_items log field is mapped to the additional.fields.value UDM field.
nn5_pred_items (array[string] - set[string])additional.fields[nn5_pred_item]Iterate through log field nn5_pred_items, then
nn5_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn5_pred_items log field is mapped to the additional.fields.value UDM field.
nn6_entities (array[string] - vector of string)additional.fields[nn6_entities]Iterate through log field nn6_entities, then
nn6_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn6_entities log field is mapped to the additional.fields.value UDM field.
nn6_entity_similarity (number - double)additional.fields[nn6_entity_similarity]
nn6_train_items (array[string] - vector of string)additional.fields[nn6_train_item]Iterate through log field nn6_train_items, then
nn6_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn6_train_items log field is mapped to the additional.fields.value UDM field.
nn6_pred_items (array[string] - set[string])additional.fields[nn6_pred_item]Iterate through log field nn6_pred_items, then
nn6_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn6_pred_items log field is mapped to the additional.fields.value UDM field.
nn7_entities (array[string] - vector of string)additional.fields[nn7_entities]Iterate through log field nn7_entities, then
nn7_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn7_entities log field is mapped to the additional.fields.value UDM field.
nn7_entity_similarity (number - double)additional.fields[nn7_entity_similarity]
nn7_train_items (array[string] - vector of string)additional.fields[nn7_train_item]Iterate through log field nn7_train_items, then
nn7_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn7_train_items log field is mapped to the additional.fields.value UDM field.
nn7_pred_items (array[string] - set[string])additional.fields[nn7_pred_item]Iterate through log field nn7_pred_items, then
nn7_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn7_pred_items log field is mapped to the additional.fields.value UDM field.
nn8_entities (array[string] - vector of string)additional.fields[nn8_entities]Iterate through log field nn8_entities, then
nn8_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn8_entities log field is mapped to the additional.fields.value UDM field.
nn8_entity_similarity (number - double)additional.fields[nn8_entity_similarity]
nn8_train_items (array[string] - vector of string)additional.fields[nn8_train_item]Iterate through log field nn8_train_items, then
nn8_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn8_train_items log field is mapped to the additional.fields.value UDM field.
nn8_pred_items (array[string] - set[string])additional.fields[nn8_pred_item]Iterate through log field nn8_pred_items, then
nn8_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn8_pred_items log field is mapped to the additional.fields.value UDM field.
nn9_entities (array[string] - vector of string)additional.fields[nn9_entities]Iterate through log field nn9_entities, then
nn9_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn9_entities log field is mapped to the additional.fields.value UDM field.
nn9_entity_similarity (number - double)additional.fields[nn9_entity_similarity]
nn9_train_items (array[string] - vector of string)additional.fields[nn9_train_item]Iterate through log field nn9_train_items, then
nn9_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn9_train_items log field is mapped to the additional.fields.value UDM field.
nn9_pred_items (array[string] - set[string])additional.fields[nn9_pred_item]Iterate through log field nn9_pred_items, then
nn9_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn9_pred_items log field is mapped to the additional.fields.value UDM field.
nn10_entities (array[string] - vector of string)additional.fields[nn10_entities]Iterate through log field nn10_entities, then
nn10_entities_%{index} log field is mapped to the additional.fields.key UDM field and nn10_entities log field is mapped to the additional.fields.value UDM field.
nn10_entity_similarity (number - double)additional.fields[nn10_entity_similarity]
nn10_train_items (array[string] - vector of string)additional.fields[nn10_train_item]Iterate through log field nn10_train_items, then
nn10_train_item_%{index} log field is mapped to the additional.fields.key UDM field and nn10_train_items log field is mapped to the additional.fields.value UDM field.
nn10_pred_items (array[string] - set[string])additional.fields[nn10_pred_item]Iterate through log field nn10_pred_items, then
nn10_pred_item_%{index} log field is mapped to the additional.fields.key UDM field and nn10_pred_items log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
+ +
+

Field mapping reference: CORELIGHT - ssdp

+ +The following table lists the log fields of the ssdp log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
is_orig (boolean - bool)additional.fields[is_orig]
operation (string)additional.fields[operation]
host (string)additional.fields[host]
usn (string)additional.fields[usn]
target (string)about.resource.name
target_sub (string)additional.fields[target_sub]
location (string)target.location.name
user_agent (string)network.http.user_agent
server (string)additional.fields[server]
man (string)additional.fields[man]
mx (string)additional.fields[mx]
cache_control (string)additional.fields[cache_control]
remaining_header_names (array[string] - vector of string)additional.fields[remaining_header_name]Iterate through log field remaining_header_names, then
remaining_header_name_%{index} log field is mapped to the additional.fields.key UDM field and remaining_header_names log field is mapped to the additional.fields.value UDM field.
remaining_header_values (array[string] - vector of string)additional.fields[remaining_header_value]Iterate through log field remaining_header_values, then
remaining_header_value_%{index} log field is mapped to the additional.fields.key UDM field and remaining_header_values log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
+ +
+

Field mapping reference: CORELIGHT - telnet

+ +The following table lists the log fields of the telnet log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
tn3270 (boolean - bool)additional.fields[tn3270]
tn3270e (boolean - bool)additional.fields[tn3270e]
terminal_type (string)additional.fields[terminal_type]
terminal_speed (string)additional.fields[terminal_speed]
x_display_location (string)additional.fields[x_display_location]
environ_value_names (array[string] - vector of string)additional.fields[environ_value_name]Iterate through log field environ_value_names, then
environ_value_name_%{index} log field is mapped to the additional.fields.key UDM field and environ_value_names log field is mapped to the additional.fields.value UDM field.
environ_value_values (array[string] - vector of string)additional.fields[environ_value_value]Iterate through log field environ_value_values, then
environ_value_value_%{index} log field is mapped to the additional.fields.key UDM field and environ_value_values log field is mapped to the additional.fields.value UDM field.
tn3270e_device_type_request (string)additional.fields[tn3270e_device_type_request]
tn3270e_device_type_request_associate (string)additional.fields[tn3270e_device_type_request_associate]
tn3270e_device_type_request_connect (string)additional.fields[tn3270e_device_type_request_connect]
tn3270e_device_type_is (string)additional.fields[tn3270e_device_type_is]
tn3270e_device_type_is_associate (string)additional.fields[tn3270e_device_type_is_associate]
tn3270e_device_type_is_connect (string)additional.fields[tn3270e_device_type_is_connect]
data (string)additional.fields[data]
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
+ +
+

Field mapping reference: CORELIGHT - websocket

+ +The following table lists the log fields of the websocket log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
host (string)target.hostname
uri (string)target.url
user_agent (string)network.http.user_agent
subprotocol (string)additional.fields[subprotocol]
client_protocols (array[string] - vector of string)additional.fields[client_protocol]Iterate through log field client_protocols, then
client_protocol_%{index} log field is mapped to the additional.fields.key UDM field and client_protocols log field is mapped to the additional.fields.value UDM field.
server_extensions (array[string] - vector of string)additional.fields[server_extension]Iterate through log field server_extensions, then
server_extension_%{index} log field is mapped to the additional.fields.key UDM field and server_extensions log field is mapped to the additional.fields.value UDM field.
client_extensions (array[string] - vector of string)additional.fields[client_extensions]Iterate through log field client_extensions, then
client_extension_%{index} log field is mapped to the additional.fields.key UDM field and client_extensions log field is mapped to the additional.fields.value UDM field.
metadata.event_typeThe metadata.event_type UDM field is set to NETWORK_CONNECTION.
+ +
+

Field mapping reference: CORELIGHT - first_seen

+ +The following table lists the log fields of the first_seen log type and their corresponding UDM fields. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log fieldUDM mappingLogic
use_case (string)security_result.rule_name
use_case_description (string)security_result.description
entity (string)additional.fields[entity]
original_entity (string)additional.fields[original_entity]
entity_training_items (array[string] - vector of string)additional.fields[entity_training_item]Iterate through log field entity_training_items, then
entity_training_item_%{index} log field is mapped to the additional.fields.key UDM field and entity_training_item log field is mapped to the additional.fields.value UDM field.
item (string)security_result.detection_fields[item]
first_seen_type (string - enum AnomalyDetection::AnomalyTypes)security_result.detection_fields[first_seen_type]
history_days (integer - count)security_result.detection_fields[history_days]
history (number - interval)security_result.detection_fields[history]
metadata.event_typeThe metadata.event_type UDM field is set to GENERIC_EVENT.
+ +
+ +

UDM Mapping Delta reference: Corelight

+ +The following table lists delta for Default parser of Corelight. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Log NameLog FieldPrevious UDM MappingUpdated UDM Mapping
uidadditional.fields[uid]network.session_id
cipdirectionadditional.fields[direction]network.direction
cipcip_statusadditional.fields[cip_status]security_result.description
etc_vizc2s_viz.sizeabout.labels [c2s_viz_size]network.sent_bytes
etc_vizs2c_viz.sizeabout.labels [s2c_viz_size]network.received_bytes
generic_dns_tunnelscapture_secsabout.labels [capture_secs]network.session_duration
kerberosrequest_typeprincipal.applicationextensions.auth.auth_details
kerberoserror_msgsecurity_result.action_detailssecurity_result.description
known_devicesprotocolsentity.labels [protocol]entity.network.application_protocol
known_domainsprotocolsentity.labels [protocol]entity.network.application_protocol
known_servicesprotocolentity.labels [protocol]entity.network.application_protocol
ldapresultsecurity_result.detection_fields [result]security_result.action
ldapobjectabout.labels [object]target.resource.name
mqtt_connectwill_topicabout.labels [will_topic]target.resource.name
mqtt_publishtopicabout.labels [topic]target.resource.name
mqtt_subscribetopicsabout.labels [topics]target.resource.name
mqtt_subscribeacksecurity_result.detection_fields [ack]security_result.action
pecompile_tsabout.labels [compile_ts]target.file.pe_file.compilation_time
pesection_namesabout.labels [section_names]target.file.pe_file.section
radiusreply_msgabout.labels [reply_msg]extensions.auth.auth_details
radiusresultextensions.auth.auth_detailssecurity_result.action
rdpcookieabout.labels [cookie]principal.user.userid
rdpclient_buildprincipal.labels [client_build]principal.asset.software.version
rdpclient_dig_product_idprincipal.labels [client_dig_product_id ]principal.asset.product_object_id
rdpauth_successabout.labels [auth_success]security_result.action
smtphelotarget.domain.namenetwork.smtp.helo
smtppathintermediary.ipnetwork.smtp.message_path
smtpuser_agentabout.labels [user_agent]principal.application
snmpup_sinceabout.labels [up_since]target.asset.last_boot_time
socksversionabout.labels [version]network.application_protocol_version
specific_dns_tunnelsdetectionsecurity_result.detection_fields [detection]security_result.description
sshclientprincipal.applicationprincipal.asset.software.version
sshservertarget.applicationtarget.asset.software.version
sshhost_key_algsecurity_result.detection_fields [host_key_alg]network.tls.server.certificate.version
sshhost_keysecurity_result.detection_fields [host_key]network.tls.server.certificate.sha256
sshinferencessecurity_result.summary, security_result.descriptionsecurity_result.summary, security_result.description, security_result.detection_fields
sslvalidation_statussecurity_result.detection_fields [validation_status]security_result.description
ssl_redvalidation_statussecurity_result.detection_fields [validation_status]security_result.description
steppingserver1_htarget.ipintermediary.ip
steppingserver1_ptarget.portintermediary.port
steppingclient2_hprincipal.ipintermediary.ip
steppingclient2_pprincipal.labels [client2_p]intermediary.port
steppingserver2_htarget.labels [server2_h]target.ip
steppingserver2_ptarget.labels [server2_p]target.port
suricata_corelightalert.revsecurity_result.detection_fields [alert_rev]security_result.rule_version
suricata_corelightalert.metadatasecurity_result.detection_fields [alert_metadata]security_result.rule_labels
suricata_corelightmetadatasecurity_result.detection_fields [alert_metadata]security_result.rule_labels
syslogseverityabout.labels [severity]security_result.severity, security_result.severity_details
vpninferencesabout.labels [inference]metadata.description
vpnclient_infoprincipal.labels [client_info]network.http.user_agent
weirdnameabout.labels [name]metadata.product_event_type
weirdaddlabout.labels [addl]metadata.description
weirdpeerabout.labels [peer]observer.hostname
weirdsourceabout.labels [source]metadata.product_name
x509fingerprintabout.labels [fingerprint]about.domain.last_https_certificate.thumbprint
x509certificate.versionnetwork.tls.server.certificate.versionabout.domain.last_https_certificate.version
x509certificate.serialnetwork.tls.server.certificate.serialabout.domain.last_https_certificate.serial_number
x509certificate.subjectnetwork.tls.server.certificate.subjectabout.domain.last_https_certificate.subject.common_name
x509certificate.issuernetwork.tls.server.certificate.issuerabout.domain.last_https_certificate.issuer
x509certificate.not_valid_beforenetwork.tls.server.certificate.not_beforeabout.domain.last_https_certificate.validity.issue_time
x509certificate.not_valid_afternetwork.tls.server.certificate.not_afterabout.domain.last_https_certificate.validity.expiry_time
x509certificate.key_algabout.labels [certificate_key_alg]about.labels [public_key_algorithm]
x509certificate.sig_algabout.labels [certificate_sig_alg]about.domain.last_https_certificate.signature_algorithm
x509certificate.key_typeabout.labels [certificate_key_type]about.domain.last_https_certificate.public_key.algorithm
x509certificate.key_lengthabout.labels [certificate_key_length]about.domain.last_https_certificate.public_key.rsa.key_size
x509certificate.exponentabout.labels [certificate_exponent]about.domain.last_https_certificate.public_key.rsa.exponent
x509certificate.curvenetwork.tls.curveabout.domain.last_https_certificate.ec.oid
x509san.dnsabout.labels [san_dns]about.domain.last_https_certificate.extension.subject_alternative_name
x509basic_constraints.caabout.labels [basic_constraints_ca]about.domain.last_https_certificate.extension.ca
x509_redfingerprintabout.labels [fingerprint]about.domain.last_https_certificate.thumbprint
x509_redcertificate.versionnetwork.tls.server.certificate.versionabout.domain.last_https_certificate.version
x509_redcertificate.serialnetwork.tls.server.certificate.serialabout.domain.last_https_certificate.serial_number
x509_redcertificate.subjectnetwork.tls.server.certificate.subjectabout.domain.last_https_certificate.subject.common_name
x509_redcertificate.issuernetwork.tls.server.certificate.issuerabout.domain.last_https_certificate.issuer
x509_redcertificate.not_valid_beforenetwork.tls.server.certificate.not_beforeabout.domain.last_https_certificate.validity.issue_time
x509_redcertificate.not_valid_afternetwork.tls.server.certificate.not_afterabout.domain.last_https_certificate.validity.expiry_time
x509_redcertificate.key_algabout.labels [certificate_key_alg]about.labels [public_key_algorithm]
x509_redcertificate.sig_algabout.labels [certificate_sig_alg]about.domain.last_https_certificate.signature_algorithm
x509_redcertificate.key_typeabout.labels [certificate_key_type]about.domain.last_https_certificate.public_key.algorithm
x509_redcertificate.key_lengthabout.labels [certificate_key_length]about.domain.last_https_certificate.public_key.rsa.key_size
x509_redcertificate.exponentabout.labels [certificate_exponent]about.domain.last_https_certificate.public_key.rsa.exponent
x509_redcertificate.curvenetwork.tls.curveabout.domain.last_https_certificate.ec.oid
x509_redsan.dnsabout.labels [san_dns]about.domain.last_https_certificate.extension.subject_alternative_name
x509_redbasic_constraints.caabout.labels [basic_constraints_ca]about.domain.last_https_certificate.extension.ca
+ +
+ +## What's next + +- [Data ingestion to Chronicle ](https://cloud.devsite.corp.google.com/chronicle/docs/data-ingestion-flow) diff --git a/dashboards/Data Explorer/Asset Classification.json b/dashboards/Data Explorer/Asset Classification.json index 5778217..74486ef 100644 --- a/dashboards/Data Explorer/Asset Classification.json +++ b/dashboards/Data Explorer/Asset Classification.json @@ -2,7 +2,7 @@ "dashboards": [ { "dashboard": { - "name": "e129abce-6363-4422-b835-b3eb182b2eb8", + "name": "952422b8-97ca-4f38-b28e-6c1620015e66", "displayName": "Corelight → Data Explorer → Asset Classification", "definition": { "filters": [ @@ -20,19 +20,19 @@ ], "displayName": "Global Time Filter", "chartIds": [ - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "acf0b48f-1481-4b7b-a9d6-88414f048a9b", - "ff52de3a-d311-47d4-9b63-a821acb886df", - "6d69f278-c012-45b1-baca-a9c77954a35d", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df" + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "9376581c-3028-44f0-b850-dd87cf4af44f", + "f849cce3-f5ec-4275-9b55-b672719054f8", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "530efaf0-6d90-43c0-b16f-9797092651ac", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008" ], "isStandardTimeRangeFilter": true, "isStandardTimeRangeFilterEnabled": true @@ -51,17 +51,17 @@ ], "displayName": "Corelight Sensor", "chartIds": [ - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "ff52de3a-d311-47d4-9b63-a821acb886df", - "6d69f278-c012-45b1-baca-a9c77954a35d", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df" + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "9376581c-3028-44f0-b850-dd87cf4af44f", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008" ] }, { @@ -78,17 +78,17 @@ ], "displayName": "Operating System", "chartIds": [ - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "ff52de3a-d311-47d4-9b63-a821acb886df", - "6d69f278-c012-45b1-baca-a9c77954a35d", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df" + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "9376581c-3028-44f0-b850-dd87cf4af44f", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008" ] }, { @@ -105,17 +105,17 @@ ], "displayName": "Device Type Group", "chartIds": [ - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "ff52de3a-d311-47d4-9b63-a821acb886df", - "6d69f278-c012-45b1-baca-a9c77954a35d", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df" + "9376581c-3028-44f0-b850-dd87cf4af44f", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008" ] }, { @@ -132,17 +132,17 @@ ], "displayName": "Device Type Name", "chartIds": [ - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "ff52de3a-d311-47d4-9b63-a821acb886df", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df", - "6d69f278-c012-45b1-baca-a9c77954a35d" + "9376581c-3028-44f0-b850-dd87cf4af44f", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6" ] }, { @@ -159,23 +159,23 @@ ], "displayName": "IP Address", "chartIds": [ - "3e31256c-8896-404a-8890-e7fb0b3920d5", - "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", - "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", - "9903f26e-036a-4c29-91ad-c871f0f7662f", - "1c92d7b5-d228-43b7-9169-4ba535fa5231", - "6d69f278-c012-45b1-baca-a9c77954a35d", - "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", - "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", - "60769e37-5a30-46d1-8525-3a9c647933ae", - "c016171e-2346-40cf-b73e-88942423e6df", - "ff52de3a-d311-47d4-9b63-a821acb886df" + "9376581c-3028-44f0-b850-dd87cf4af44f", + "54f5d1ac-842e-4f65-aee3-c50c50be6771", + "7dba276a-2ebb-4496-a5db-8dde60247610", + "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", + "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", + "435e1b56-392c-4bc8-b395-1dd3e26d42e6", + "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", + "4f27e4f8-7742-473b-8771-a88e9dbebfd7", + "e60e62ad-fd3b-4cd1-8760-ac816f33717a", + "4698f722-3538-4d91-bb41-a3e4465e0008", + "1159320d-9b5a-4413-a7ca-3e6fe5598d1a" ] } ], "charts": [ { - "dashboardChart": "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "dashboardChart": "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", "chartLayout": { "startX": 0, "spanX": 32, @@ -192,7 +192,7 @@ ] }, { - "dashboardChart": "3e31256c-8896-404a-8890-e7fb0b3920d5", + "dashboardChart": "9376581c-3028-44f0-b850-dd87cf4af44f", "chartLayout": { "startX": 32, "spanX": 32, @@ -209,7 +209,7 @@ ] }, { - "dashboardChart": "ff52de3a-d311-47d4-9b63-a821acb886df", + "dashboardChart": "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", "chartLayout": { "startX": 64, "spanX": 32, @@ -226,7 +226,7 @@ ] }, { - "dashboardChart": "9903f26e-036a-4c29-91ad-c871f0f7662f", + "dashboardChart": "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", "chartLayout": { "startX": 32, "spanX": 32, @@ -243,7 +243,7 @@ ] }, { - "dashboardChart": "c016171e-2346-40cf-b73e-88942423e6df", + "dashboardChart": "4698f722-3538-4d91-bb41-a3e4465e0008", "chartLayout": { "startX": 0, "spanX": 32, @@ -260,7 +260,7 @@ ] }, { - "dashboardChart": "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "dashboardChart": "7dba276a-2ebb-4496-a5db-8dde60247610", "chartLayout": { "startX": 64, "spanX": 32, @@ -277,7 +277,7 @@ ] }, { - "dashboardChart": "acf0b48f-1481-4b7b-a9d6-88414f048a9b", + "dashboardChart": "530efaf0-6d90-43c0-b16f-9797092651ac", "chartLayout": { "startX": 0, "spanX": 41, @@ -289,7 +289,7 @@ ] }, { - "dashboardChart": "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "dashboardChart": "4f27e4f8-7742-473b-8771-a88e9dbebfd7", "chartLayout": { "startX": 41, "spanX": 55, @@ -306,7 +306,7 @@ ] }, { - "dashboardChart": "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", + "dashboardChart": "f849cce3-f5ec-4275-9b55-b672719054f8", "chartLayout": { "startX": 41, "spanX": 55, @@ -318,7 +318,7 @@ ] }, { - "dashboardChart": "60769e37-5a30-46d1-8525-3a9c647933ae", + "dashboardChart": "e60e62ad-fd3b-4cd1-8760-ac816f33717a", "chartLayout": { "startX": 41, "spanX": 55, @@ -335,7 +335,7 @@ ] }, { - "dashboardChart": "6d69f278-c012-45b1-baca-a9c77954a35d", + "dashboardChart": "435e1b56-392c-4bc8-b395-1dd3e26d42e6", "chartLayout": { "startX": 0, "spanX": 41, @@ -352,7 +352,7 @@ ] }, { - "dashboardChart": "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "dashboardChart": "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", "chartLayout": { "startX": 0, "spanX": 41, @@ -369,7 +369,7 @@ ] }, { - "dashboardChart": "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "dashboardChart": "54f5d1ac-842e-4f65-aee3-c50c50be6771", "chartLayout": { "startX": 0, "spanX": 96, @@ -388,15 +388,15 @@ ] }, "type": "CUSTOM", - "etag": "119ddd83fa0ef2809ef1ed90ded4de61df7b61adc06b68f40111dfa43d069100", + "etag": "21729728a2622d85ec57142a3b3077406b7f15e9d5d963775fc32fab4633cc8e", "access": "DASHBOARD_PRIVATE" }, "dashboardCharts": [ { - "name": "acf0b48f-1481-4b7b-a9d6-88414f048a9b", + "name": "530efaf0-6d90-43c0-b16f-9797092651ac", "displayName": "Top Applications by Operating System", "chartDatasource": { - "dashboardQuery": "0f980d95-842b-4c12-be05-c51cf9c0fbc1", + "dashboardQuery": "9a653018-cc47-4e3c-9fcf-eefc554fbccd", "dataSources": [ "UDM" ] @@ -434,15 +434,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "28bca87b74a5a29440bbc1a38f7926dc44a0bd34be06251cbb940c76d094c398", + "etag": "ac596f09180b6d9c0f328e337fe4bf4e2ee67179bcee51af98003818b169ee18", "drillDownConfig": {} }, { - "name": "ff52de3a-d311-47d4-9b63-a821acb886df", + "name": "1159320d-9b5a-4413-a7ca-3e6fe5598d1a", "displayName": "Device Type Breakdown", "description": "By Unique MAC Addresses", "chartDatasource": { - "dashboardQuery": "cfb7ccd5-fae4-43c6-b43c-e5cb87a589d7", + "dashboardQuery": "fb73ca1f-8f90-44bc-8fd9-61fcc70cd894", "dataSources": [ "UDM" ] @@ -525,14 +525,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "ae22dfe355f66a96c12e3a7764b7a7dd512c6772c678018702ee74dab7a34ecd", + "etag": "fd72c55326e0b247b4078f9b72fc118287c02422a12cc363374d393e8f821d9d", "drillDownConfig": {} }, { - "name": "3046d7fc-f334-4def-a60b-03d1bd6d8e3a", + "name": "b68282a9-5aa5-4d38-9ea2-5c94b7eeb457", "displayName": "Detected IoT (Audio, Video, Gaming)", "chartDatasource": { - "dashboardQuery": "b4be77ad-bd54-4155-812a-9908cc74e2b6", + "dashboardQuery": "4b895ad5-e982-4d47-bc72-b58cf3fe2ded", "dataSources": [ "UDM" ] @@ -574,15 +574,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "2ecb12a94926f0c3cb409972ded067f85e1a9db017728e016cdfc9544bcd970e", + "etag": "fcd854f9c0af46ee1050576338445b08f37a0caf1d4b84011f80fb7ac910f962", "drillDownConfig": {} }, { - "name": "572d44ea-6da7-4727-a0f8-c1f1aa251fd9", + "name": "4f27e4f8-7742-473b-8771-a88e9dbebfd7", "displayName": "Device Types over Time", "description": "By Unique MAC Addresses", "chartDatasource": { - "dashboardQuery": "5384b3ad-f370-4ad9-90d7-d64661639a6e", + "dashboardQuery": "e61f8cc4-03c2-420b-bd34-d24b2548853d", "dataSources": [ "UDM" ] @@ -666,15 +666,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "c7b50c1bd421e747b410ed1344b3c75a7cb336c080d2399fe876ffd6893649a1", + "etag": "d44c43a72045fd688dec7c544c21eb28adee396ddf41b75289ec9e5e76e9ea16", "drillDownConfig": {} }, { - "name": "60769e37-5a30-46d1-8525-3a9c647933ae", + "name": "e60e62ad-fd3b-4cd1-8760-ac816f33717a", "displayName": "Top Models over Time", "description": "By Unique IP Addresses", "chartDatasource": { - "dashboardQuery": "c729e5ea-2326-4611-8906-ac2ae557162e", + "dashboardQuery": "aa501e9e-a24d-49a1-9dc6-43fc6371a578", "dataSources": [ "UDM" ] @@ -714,15 +714,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "03b0bbb797f561ff304b9c5a182a4e4491fce765af3054641c8ee0cd591a5d31", + "etag": "20cf9a7d7147879597a0a7892a5bc55eda8fd349984aa510c35a34f5f4b07b63", "drillDownConfig": {} }, { - "name": "c016171e-2346-40cf-b73e-88942423e6df", + "name": "4698f722-3538-4d91-bb41-a3e4465e0008", "displayName": "Operating System Versions", "description": "By Unique MAC Addresses", "chartDatasource": { - "dashboardQuery": "666ea910-14c9-4fa4-9e28-3b225cb5bcc0", + "dashboardQuery": "40a154f5-f184-4e30-bcbb-23353ceb76cb", "dataSources": [ "UDM" ] @@ -805,15 +805,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "7f4ea0a800a0a72d4bd15889ea5bd1e464ba6270c982296938b8854eaf3c2d95", + "etag": "7caac4eb22266077101f8a894586bf3b112349d8338776bf47c626ae6077ef5b", "drillDownConfig": {} }, { - "name": "3e31256c-8896-404a-8890-e7fb0b3920d5", + "name": "9376581c-3028-44f0-b850-dd87cf4af44f", "displayName": "Brand Breakdown", "description": "By Unique MAC Addresses", "chartDatasource": { - "dashboardQuery": "8e65f3e0-2057-4c55-acf9-54a4408d3453", + "dashboardQuery": "4a8d9b69-970d-49e7-9540-af589254a9f7", "dataSources": [ "UDM" ] @@ -903,14 +903,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "274f0b36d9ff6646ffb60909471484ac1241796e232f7f1518659747a05fa1cb", + "etag": "06652bb00727268566ec2325392c78da1a79c96eb27f606010ee65646f3adaef", "drillDownConfig": {} }, { - "name": "cbc16ebd-d7c4-463c-adff-3114d4f4fd8d", + "name": "54f5d1ac-842e-4f65-aee3-c50c50be6771", "displayName": "Device Inventory with Classifications", "chartDatasource": { - "dashboardQuery": "db7fd679-3048-4803-86d3-6cd215981240", + "dashboardQuery": "86c702c0-bb84-4f97-8a21-de3a2caa088c", "dataSources": [ "UDM" ] @@ -980,15 +980,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "bd1986ff805252fd26f0ea22d2d70928b65c775dd6dd07e82dcbcacd4081805d", + "etag": "35ee950109178209af10ce998c37dc4c5116bea81a48ab6032139256a0cf2425", "drillDownConfig": {} }, { - "name": "22d48e32-2091-40f2-bd5d-73e7dbf06d0e", + "name": "7dba276a-2ebb-4496-a5db-8dde60247610", "displayName": "Discovery Source", "description": "By Unique IP Addresses", "chartDatasource": { - "dashboardQuery": "9c6004b5-ac70-4139-a712-d9352841acf5", + "dashboardQuery": "fb79dd37-0f68-44a4-a103-23fbe352e05c", "dataSources": [ "UDM" ] @@ -1057,15 +1057,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f76689caaa502ce73d9606dfd1d8f0e37312bfce8bda0a6f01587dab6cf64a4b", + "etag": "27cd0aac91056aba08bb00648c4d3b25e48d913ddfb088ee5359f3293c9ffb63", "drillDownConfig": {} }, { - "name": "1c92d7b5-d228-43b7-9169-4ba535fa5231", + "name": "cbe9f32b-5c6c-490b-a93d-c83f8a241b64", "displayName": "Total Operating Systems", "description": "By Unique MAC Addresses", "chartDatasource": { - "dashboardQuery": "ae56e14a-84dd-4456-87e5-9e6d67d68d36", + "dashboardQuery": "ec3f7655-8329-4369-9d22-5df5fd936896", "dataSources": [ "UDM" ] @@ -1099,14 +1099,14 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "3965c1aa12f3b3ae6343ee8514de0d2b73987979226deee40c986a92036274d1", + "etag": "32c0a5fe5ebe313f54f2ddbe82d6aad4f53b0b8b0c11c9796cc6af02bc64b62d", "drillDownConfig": {} }, { - "name": "6d69f278-c012-45b1-baca-a9c77954a35d", + "name": "435e1b56-392c-4bc8-b395-1dd3e26d42e6", "displayName": "Classification Details per Host", "chartDatasource": { - "dashboardQuery": "d9c0eac5-e0b3-43c6-a4d6-06eb76a7407f", + "dashboardQuery": "ce5ab6e7-5e0c-4c41-a5e8-518541bb65c6", "dataSources": [ "UDM" ] @@ -1148,15 +1148,15 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "83ed3afdad380d46fa4147a0bce0cc3dea70a1d2e5ba72226c796651aef10220", + "etag": "d6610060bf68be2ddd120637a5b760356409eef9729256061eb381ee31e38a1a", "drillDownConfig": {} }, { - "name": "ad8c384a-9c6d-4cfc-8f71-dde6f7d69642", + "name": "f849cce3-f5ec-4275-9b55-b672719054f8", "displayName": "Data Transferred by Device Type", "description": "By IP Address", "chartDatasource": { - "dashboardQuery": "ced2eb15-d653-436b-a2ed-cd891f7b9167", + "dashboardQuery": "814fca9b-aac5-4252-acbf-31517f945c5e", "dataSources": [ "UDM" ] @@ -1266,15 +1266,15 @@ "groupingType": "Grouped" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "f9a7d23dfb0181d15085d97be9edf3495a05fcf68ce0b5ab5983d76eafcb445f", + "etag": "b9cadb85057c387ce3def1adaf762cb0c17fc71fda20c5464cf7f782b2c8c20d", "drillDownConfig": {} }, { - "name": "9903f26e-036a-4c29-91ad-c871f0f7662f", + "name": "ac8ec30a-309b-48da-b1d9-0ec38ef2d19b", "displayName": "Device Groupings", "description": "By Unique IP Addresses", "chartDatasource": { - "dashboardQuery": "110cd1bd-1317-4c1b-8d50-6718c0d57e93", + "dashboardQuery": "e0d7850f-a7ac-48d8-82fa-3eca4060b94f", "dataSources": [ "UDM" ] @@ -1357,13 +1357,13 @@ "groupingType": "Off" }, "tileType": "TILE_TYPE_VISUALIZATION", - "etag": "a968d27db5584a5aa4245b6786614556e16edd9dd8f18e5e91794d026cb17432", + "etag": "a60063622452e289e0893055f7f27705223e5348e4d18517447295e4359f3ff8", "drillDownConfig": {} } ], "dashboardQueries": [ { - "name": "8e65f3e0-2057-4c55-acf9-54a4408d3453", + "name": "4a8d9b69-970d-49e7-9540-af589254a9f7", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -1371,10 +1371,10 @@ "startTimeVal": "1" } }, - "etag": "9763dab3e2f9659b03af78493bf8c9ac61a0312c4dbe8ab21258ffbc4e9b0dc9" + "etag": "76734b4e3aba028ea267f3ba38befa841a4e6ff7096cba5efdbd86df7c4803b5" }, { - "name": "ced2eb15-d653-436b-a2ed-cd891f7b9167", + "name": "814fca9b-aac5-4252-acbf-31517f945c5e", "query": "$e1.metadata.vendor_name=\"Corelight\"\r\n$e1.metadata.product_event_type = \"asset_classification\"\r\n$e2.metadata.vendor_name=\"Corelight\"\r\n$e2.metadata.product_event_type = \"conn\"\r\n\r\n$e1.principal.ip = $e2.principal.ip\r\n$device_type=if($e1.about.asset.category!=\"\", $e1.about.asset.category, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp($e1.metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n\r\nmatch:\r\n $date_hour, $device_type\r\noutcome:\r\n $bytes_in = sum(cast.as_float($e2.target.labels[\"resp_ip_bytes\"]))\r\n $bytes_out = sum(cast.as_float($e2.principal.labels[\"orig_ip_bytes\"]))\r\n $total_bytes = math.round(($bytes_in + $bytes_out)/1073741824, 2)\r\norder:\r\n $date_hour, $total_bytes asc", "input": { "relativeTime": { @@ -1382,10 +1382,10 @@ "startTimeVal": "1" } }, - "etag": "9a89a1af7204b2e507dba4f51d54c5590a30e25459a1bbaf7afba72be3641f2c" + "etag": "66ac9f4c672162e9442cb6b4779a58f3afd79d820a96e9b9c05eb253aaf23bea" }, { - "name": "110cd1bd-1317-4c1b-8d50-6718c0d57e93", + "name": "e0d7850f-a7ac-48d8-82fa-3eca4060b94f", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\")\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -1393,10 +1393,10 @@ "startTimeVal": "1" } }, - "etag": "758d272a73c21aeacc505bb0981f88eb967373a7f53d235546c9a29266b23da0" + "etag": "803cf39ec9054d52013b63cf1c5e9b57a781cbd698f9a418521af5b6dd47845a" }, { - "name": "ae56e14a-84dd-4456-87e5-9e6d67d68d36", + "name": "ec3f7655-8329-4369-9d22-5df5fd936896", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$os_name=if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $os_name\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10\r\n", "input": { "relativeTime": { @@ -1404,10 +1404,10 @@ "startTimeVal": "1" } }, - "etag": "6a0bef006ad3f5d215c3e815d19a7faab267b1e5dbcc55e9103baf0b3ff289c0" + "etag": "fe828a270eeef5749ef5114585d2a0fabd51d8103fa2185f726b8b52ab4c8cc4" }, { - "name": "c729e5ea-2326-4611-8906-ac2ae557162e", + "name": "aa501e9e-a24d-49a1-9dc6-43fc6371a578", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$model=if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nmatch:\r\n $date_hour, $model\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $date_hour, $count asc", "input": { "relativeTime": { @@ -1415,10 +1415,10 @@ "startTimeVal": "1" } }, - "etag": "bc71197233baed21632bda7f02c1795b5d794b5d763343a5be7d3e212535611a" + "etag": "a762905e209ad05aa4945bca794244e3abc38eb5600c9223d2748ac471566a52" }, { - "name": "666ea910-14c9-4fa4-9e28-3b225cb5bcc0", + "name": "40a154f5-f184-4e30-bcbb-23353ceb76cb", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$os= if(about.asset.attribute.labels.value!=\"\" AND about.platform_version!=\"\", strings.concat(about.asset.attribute.labels.value, \" \", about.platform_version), if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\"))\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $os\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc", "input": { "relativeTime": { @@ -1426,10 +1426,10 @@ "startTimeVal": "1" } }, - "etag": "50de59acb2dd24784a059609e26152d7ab1baec31b0f2a6201678dea008731b9" + "etag": "f78521af4f9d6041565687a093217fab10dc4f9b0a38ef533b4d5912b40ac51d" }, { - "name": "db7fd679-3048-4803-86d3-6cd215981240", + "name": "86c702c0-bb84-4f97-8a21-de3a2caa088c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\n$confidence = if(about.security_result.confidence_score>=40, \"High\", if(about.security_result.confidence_score>=20, \"Medium\", if(about.security_result.confidence_score>=1, \"Low\", \"Unknown\")))\r\nmatch:\r\n $date_hour, principal.ip, $confidence\r\noutcome:\r\n $mac=array_distinct(if(principal.mac!=\"\", principal.mac, \"Unknown\"))\r\n $os_name=array_distinct(if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\"))\r\n $os_ver=array_distinct(if(about.platform_version!=\"\", about.platform_version, \"Unknown\"))\r\n $type_name=array_distinct(if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\"))\r\n $type_group=array_distinct(if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\"))\r\n $brand=array_distinct(if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\"))\r\n $model=array_distinct(if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\"))\r\n $sources=array_distinct(if(about.ip_geo_artifact.tags!=\"\", about.ip_geo_artifact.tags, \"Unknown\"))\r\nlimit:\r\n 100", "input": { "relativeTime": { @@ -1437,10 +1437,10 @@ "startTimeVal": "1" } }, - "etag": "8033ab217fe25249c8f2c57184d4e45d5728cdddd026495abe5a330b6490200c" + "etag": "7c36ffb602b7c73d47b78617da99a58b46827e62fa3dfaf93a75fd2a475dfa60" }, { - "name": "9c6004b5-ac70-4139-a712-d9352841acf5", + "name": "fb79dd37-0f68-44a4-a103-23fbe352e05c", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\nabout.ip_geo_artifact.tags!=\"\"\r\n$source=if(about.ip_geo_artifact.tags=\"http\" AND about.ip_geo_artifact.tags=\"dhcp\", \"both\", about.ip_geo_artifact.tags)\r\nmatch:\r\n $source\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc\r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -1448,21 +1448,21 @@ "startTimeVal": "1" } }, - "etag": "aad0cedea642f965c56c29500f36807bb2d50702d81f4fd672160ce8f1b1b3d5" + "etag": "76f67a9c57e47515a3fb7f01156fa02833c96dcda53cae500da48a9cb0e692eb" }, { - "name": "0f980d95-842b-4c12-be05-c51cf9c0fbc1", - "query": "$e1.metadata.vendor_name=\"Corelight\"\r\n$e1.metadata.product_event_type = \"asset_classification\"\r\n$e2.metadata.vendor_name=\"Corelight\"\r\n$e2.metadata.product_event_type = \"conn\"\r\n\r\n$e1.principal.ip = $e2.principal.ip\r\n$os_name=if($e1.about.asset.attribute.labels.value!=\"\", $e1.about.asset.attribute.labels.value, \"Unknown\")\r\n$app=if($e2.about.application!=\"\", $e2.about.application, \"Unknown\")\r\n\r\nmatch:\r\n $os_name, $app\r\noutcome:\r\n $count=count_distinct($e2.metadata.ingestion_labels.value)\r\norder:\r\n $count desc", + "name": "9a653018-cc47-4e3c-9fcf-eefc554fbccd", + "query": "$e1.metadata.vendor_name=\"Corelight\"\r\n$e1.metadata.product_event_type = \"asset_classification\"\r\n$e2.metadata.vendor_name=\"Corelight\"\r\n$e2.metadata.product_event_type = \"conn\"\r\n\r\n$e1.principal.ip = $e2.principal.ip\r\n$os_name=if($e1.about.asset.attribute.labels.value!=\"\", $e1.about.asset.attribute.labels.value, \"Unknown\")\r\n$app=if($e2.about.application!=\"\", $e2.about.application, \"Unknown\")\r\n\r\nmatch:\r\n $os_name, $app\r\noutcome:\r\n $count=count_distinct($e2.metadata.id)\r\norder:\r\n $count desc", "input": { "relativeTime": { "timeUnit": "DAY", "startTimeVal": "1" } }, - "etag": "733150cfa1a6d5aa32124fe073962bc55083b25ef97c13eb54b13a48fd0311f2" + "etag": "36f24ab7e87f69a796e4a5fe97d360adcb85831cc1af37c17ff44c22110d09bc" }, { - "name": "cfb7ccd5-fae4-43c6-b43c-e5cb87a589d7", + "name": "fb73ca1f-8f90-44bc-8fd9-61fcc70cd894", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\" \r\n$brand=if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $brand\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $count desc \r\nlimit:\r\n 10", "input": { "relativeTime": { @@ -1470,10 +1470,10 @@ "startTimeVal": "1" } }, - "etag": "3c766f49eb6d600dc11213c16e6ffc7639bcf456d5de4368a74a4556103b5ba7" + "etag": "c164de63e7b6044ddd86c6bf416465a37bfbbd043759c32d49c5eff6b2f9a2fe" }, { - "name": "d9c0eac5-e0b3-43c6-a4d6-06eb76a7407f", + "name": "ce5ab6e7-5e0c-4c41-a5e8-518541bb65c6", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$os = if(about.asset.attribute.labels.value!=\"\", about.asset.attribute.labels.value, \"Unknown\")\r\n$name = if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\n$group = if(about.group.group_display_name!=\"\", about.group.group_display_name, \"Unknown\")\r\nmatch:\r\n principal.ip\r\noutcome:\r\n $os_name = array_distinct($os)\r\n $type_name = array_distinct($name)\r\n $type_group = array_distinct($group)\r\nlimit:\r\n 100", "input": { "relativeTime": { @@ -1481,10 +1481,10 @@ "startTimeVal": "1" } }, - "etag": "c099b2ba0b5c833f491de0995c1d7d2efb82fb9ce70530a17e03ca5c8637ab1b" + "etag": "e167ccaaec1b9b7869cee2a09c9f1ef9e50cc23ecafc7587e3f6539a4274a907" }, { - "name": "b4be77ad-bd54-4155-812a-9908cc74e2b6", + "name": "4b895ad5-e982-4d47-bc72-b58cf3fe2ded", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\nabout.group.group_display_name = \"Audio & Video\" OR about.group.group_display_name = \"Smart Home\" OR about.asset.category = \"GAME_CONSOLE\"\r\n$device_type=if(about.asset.category!=\"\", about.asset.category, \"Unknown\")\r\n$brand=if(about.user.company_name!=\"\", about.user.company_name, \"Unknown\")\r\n$model=if(about.asset.hardware.model!=\"\", about.asset.hardware.model, \"Unknown\")\r\n\r\nmatch:\r\n $device_type, $brand, $model\r\noutcome:\r\n $count=count_distinct(principal.ip)\r\norder:\r\n $count desc\r\nlimit:\r\n 100", "input": { "relativeTime": { @@ -1492,10 +1492,10 @@ "startTimeVal": "1" } }, - "etag": "4d9da6a56eab1a58bd3b610e03170ef73098cc42cfcefb480627dca52f55c465" + "etag": "d2218af62e66b34df80a1273f21b92301988448b3eb9ed6374a7bb33f55bcb60" }, { - "name": "5384b3ad-f370-4ad9-90d7-d64661639a6e", + "name": "e61f8cc4-03c2-420b-bd34-d24b2548853d", "query": "metadata.vendor_name=\"Corelight\"\r\nmetadata.product_event_type = \"asset_classification\"\r\n$type_name=if(about.resource.resource_subtype!=\"\", about.resource.resource_subtype, \"Unknown\")\r\n$date_hour=timestamp.get_timestamp(metadata.event_timestamp.seconds, \"%Y-%m-%d : %H\")\r\nprincipal.mac!=\"\"\r\nmatch:\r\n $date_hour, $type_name\r\noutcome:\r\n $count=count_distinct(principal.mac)\r\norder:\r\n $date_hour, $count asc", "input": { "relativeTime": { @@ -1503,7 +1503,7 @@ "startTimeVal": "1" } }, - "etag": "d089606ea416aaa8cdcc70f8d1a3807d24aa150cabeb098d90f274a29850e549" + "etag": "9c082e1fbd1639f8e58347b3afbe15354ede6eb634060368c73ab9c776e99cd4" } ] }