{ "conn": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "proto", "service", "duration", "orig_bytes", "resp_bytes", "conn_state", "local_orig", "local_resp", "missed_bytes", "history", "orig_pkts", "orig_ip_bytes", "resp_pkts", "resp_ip_bytes", "tunnel_parents", "vlan", "inner_vlan", "orig_l2_addr", "resp_l2_addr", "community_id" ] ], "dhcp": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "mac", "assigned_ip", "lease_time", "trans_id" ], [ "ts", "uids", "client_addr", "server_addr", "mac", "host_name", "client_fqdn", "domain", "requested_addr", "assigned_addr", "lease_time", "client_message", "server_message", "msg_types", "duration", "client_software", "server_software" ] ], "files": [ [ "ts", "fuid", "tx_hosts", "rx_hosts", "conn_uids", "source", "depth", "analyzers", "mime_type", "filename", "duration", "local_orig", "is_orig", "seen_bytes", "total_bytes", "missing_bytes", "overflow_bytes", "timedout", "parent_fuid", "md5", "sha1", "sha256", "extracted", "extracted_cutoff", "extracted_size" ] ], "http": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "trans_depth", "method", "host", "uri", "referrer", "version", "user_agent", "origin", "request_body_len", "response_body_len", "status_code", "status_msg", "info_code", "info_msg", "tags", "username", "password", "proxied", "orig_fuids", "orig_filenames", "orig_mime_types", "resp_fuids", "resp_filenames", "resp_mime_types", "post_username", "post_password_plain", "post_password_md5", "post_password_sha1", "post_password_sha256" ] ], "ntlm": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "username", "hostname", "domainname", "success", "status" ], [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "username", "hostname", "domainname", "server_nb_computer_name", "server_dns_computer_name", "server_tree_name", "success" ] ], "rdp": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "cookie", "result", "security_protocol", "client_channels", "keyboard_layout", "client_build", "client_name", "client_dig_product_id", "desktop_width", "desktop_height", "requested_color_depth", "cert_type", "cert_count", "cert_permanent", "encryption_level", "encryption_method" ] ], "smb_files": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "fuid", "action", "path", "name", "size", "prev_name", "times.modified", "times.accessed", "times.created", "times.changed", "data_offset_req", "data_len_req", "data_len_rsp" ] ], "ssh": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "version", "auth_success", "auth_attempts", "direction", "client", "server", "cipher_alg", "mac_alg", "compression_alg", "kex_alg", "host_key_alg", "host_key", "remote_location.country_code", "remote_location.region", "remote_location.city", "remote_location.latitude", "remote_location.longitude", "hasshVersion", "hassh", "hasshServer", "cshka", "hasshAlgorithms", "sshka", "hasshServerAlgorithms" ] ], "ssl": [ [ "ts", "uid", "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p", "version", "cipher", "curve", "server_name", "resumed", "last_alert", "next_protocol", "established", "cert_chain_fuids", "client_cert_chain_fuids", "subject", "issuer", "client_subject", "client_issuer", "validation_status", "ja3", "ja3s" ] ] }