trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
DetectionLab/Vagrant/resources/malcolm/kibana/zeek_template.json
Trinitor 70f1922e80 added Malcolm
2021-08-06 10:35:01 +02:00

993 lines
60 KiB
JSON
Raw Permalink Blame History

{
"index_patterns" : ["sessions2-*"],
"order" : 0,
"settings" : {
"index" : {
"mapping.total_fields.limit" : "2000"
}
},
"mappings": {
"session": {
"properties": {
"client.address": { "type": "keyword" },
"client.bytes": { "type": "long" },
"client.domain": { "type": "keyword" },
"client.ip": { "type": "ip" },
"client.mac": { "type": "keyword" },
"client.packets": { "type": "integer" },
"client.port": { "type": "integer" },
"destination.domain": { "type": "keyword" },
"dns.answers": { "type": "nested" },
"dns.header_flags": { "type": "keyword" },
"dns.id": { "type": "keyword" },
"dns.op_code": { "type": "keyword" },
"dns.question.class": { "type": "keyword" },
"dns.question.name": { "type": "keyword" },
"dns.question.type": { "type": "keyword" },
"dns.resolved_ip": { "type": "ip" },
"dns.response_code": { "type": "keyword" },
"dns.type": { "type": "keyword" },
"ecs.version": { "type": "keyword" },
"event.action": { "type": "keyword" },
"event.category": { "type": "keyword" },
"event.dataset": { "type": "keyword" },
"event.duration": { "type": "long" },
"event.end": { "type": "date" },
"event.id": { "type": "keyword" },
"event.ingested": { "type": "date" },
"event.kind": { "type": "keyword" },
"event.outcome": { "type": "keyword" },
"event.provider": { "type": "keyword" },
"event.start": { "type": "date" },
"event.type": { "type": "keyword" },
"file.accessed": { "type": "date" },
"file.created": { "type": "date" },
"file.ctime": { "type": "date" },
"file.directory": { "type": "keyword" },
"file.extension": { "type": "keyword" },
"file.hash.md5": { "type": "keyword" },
"file.hash.sha1": { "type": "keyword" },
"file.hash.sha256": { "type": "keyword" },
"file.mime_type": { "type": "keyword" },
"file.mtime": { "type": "date" },
"file.name": { "type": "keyword" },
"file.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"file.size": { "type": "long" },
"file.type": { "type": "keyword" },
"host.name": { "type": "keyword" },
"http.request.body.bytes": { "type": "long" },
"http.request.method": { "type": "keyword" },
"http.request.referrer": { "type": "keyword" },
"http.response.body.bytes": { "type": "long" },
"http.response.status_cocde": { "type": "short" },
"http.version": { "type": "keyword" },
"log.file.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"network.application": { "type": "keyword" },
"network.bytes": { "type": "long" },
"network.community_id": { "type": "keyword" },
"network.iana_number": { "type": "keyword" },
"network.packets": { "type": "long" },
"network.protocol": { "type": "keyword" },
"network.transport": { "type": "keyword" },
"network.type": { "type": "keyword" },
"related.hash": { "type": "keyword" },
"related.ip": { "type": "ip" },
"related.user": { "type": "keyword" },
"rule.author": { "type": "keyword" },
"rule.category": { "type": "keyword" },
"rule.description": { "type": "keyword" },
"rule.license": { "type": "keyword" },
"rule.name": { "type": "keyword" },
"rule.reference": { "type": "keyword" },
"rule.ruleset": { "type": "keyword" },
"server.address": { "type": "keyword" },
"server.bytes": { "type": "long" },
"server.domain": { "type": "keyword" },
"server.ip": { "type": "ip" },
"server.mac": { "type": "keyword" },
"server.packets": { "type": "integer" },
"server.port": { "type": "integer" },
"threat.framework": { "type": "keyword" },
"threat.tactic.id": { "type": "keyword" },
"threat.tactic.name": { "type": "keyword" },
"threat.tactic.reference": { "type": "keyword" },
"threat.technique.id": { "type": "keyword" },
"threat.technique.name": { "type": "keyword" },
"threat.technique.reference": { "type": "keyword" },
"tls.cipher": { "type": "keyword" },
"tls.client.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.client.ja3": { "type": "keyword" },
"tls.client.server_name": { "type": "keyword" },
"tls.client.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.curve": { "type": "keyword" },
"tls.established": { "type": "keyword" },
"tls.next_protocol": { "type": "keyword" },
"tls.resumed": { "type": "keyword" },
"tls.server.issuer": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.server.ja3s": { "type": "keyword" },
"tls.server.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.version": { "type": "keyword" },
"tls.version_protocol": { "type": "keyword" },
"url.domain": { "type": "keyword" },
"url.extension": { "type": "keyword" },
"url.fragment": { "type": "keyword" },
"url.full": { "type": "keyword" },
"url.original": { "type": "keyword" },
"url.password": { "type": "keyword" },
"url.path": { "type": "keyword" },
"url.port": { "type": "integer" },
"url.query": { "type": "keyword" },
"url.scheme": { "type": "keyword" },
"url.username": { "type": "keyword" },
"user_agent.original": { "type": "keyword" },
"zeekLogDocId": { "type": "keyword" },
"zeek.action": { "type": "keyword" },
"zeek.community_id": { "type": "keyword" },
"zeek.destination_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.destination_geo.continent_code": { "type": "keyword" },
"zeek.destination_geo.country_code2": { "type": "keyword" },
"zeek.destination_geo.country_code3": { "type": "keyword" },
"zeek.destination_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.destination_geo.dma_code": { "type": "short" },
"zeek.destination_geo.ip": { "type": "ip" },
"zeek.destination_geo.latitude": { "type": "float" },
"zeek.destination_geo.location": { "type": "geo_point" },
"zeek.destination_geo.longitude": { "type": "float" },
"zeek.destination_geo.postal_code": { "type": "keyword" },
"zeek.destination_geo.region_code": { "type": "keyword" },
"zeek.destination_geo.region_name": { "type": "keyword" },
"zeek.destination_geo.timezone": { "type": "keyword" },
"zeek.destination_ip_reverse_dns": { "type": "keyword" },
"zeek.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.filetype": { "type": "keyword" },
"zeek.freq_score_v1": { "type": "float" },
"zeek.freq_score_v2": { "type": "float" },
"zeek.fuid": { "type": "keyword" },
"zeek.logType": { "type": "keyword" },
"zeek.orig_h": { "type": "ip" },
"zeek.orig_hostname": { "type": "keyword" },
"zeek.orig_l2_addr": { "type": "keyword" },
"zeek.orig_l2_oui": { "type": "keyword" },
"zeek.orig_p": { "type": "integer" },
"zeek.orig_segment": { "type": "keyword" },
"zeek.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.proto": { "type": "keyword" },
"zeek.resp_h": { "type": "ip" },
"zeek.resp_hostname": { "type": "keyword" },
"zeek.resp_l2_addr": { "type": "keyword" },
"zeek.resp_l2_oui": { "type": "keyword" },
"zeek.resp_p": { "type": "integer" },
"zeek.resp_segment": { "type": "keyword" },
"zeek.result": { "type": "keyword" },
"zeek.service": { "type": "keyword" },
"zeek.service_version": { "type": "keyword" },
"zeek.source_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.source_geo.continent_code": { "type": "keyword" },
"zeek.source_geo.country_code2": { "type": "keyword" },
"zeek.source_geo.country_code3": { "type": "keyword" },
"zeek.source_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.source_geo.dma_code": { "type": "short" },
"zeek.source_geo.ip": { "type": "ip" },
"zeek.source_geo.latitude": { "type": "float" },
"zeek.source_geo.location": { "type": "geo_point" },
"zeek.source_geo.longitude": { "type": "float" },
"zeek.source_geo.postal_code": { "type": "keyword" },
"zeek.source_geo.region_code": { "type": "keyword" },
"zeek.source_geo.region_name": { "type": "keyword" },
"zeek.source_geo.timezone": { "type": "keyword" },
"zeek.source_ip_reverse_dns": { "type": "keyword" },
"zeek.ts": { "type": "date" },
"zeek.uid": { "type": "keyword" },
"zeek.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_bacnet.bvlc_function": { "type": "keyword" },
"zeek_bacnet.pdu_type": { "type": "keyword" },
"zeek_bacnet.pdu_service": { "type": "keyword" },
"zeek_bacnet.invoke_id": { "type": "integer" },
"zeek_bacnet.result_code": { "type": "keyword" },
"zeek_bacnet_discovery.pdu_service": { "type": "keyword" },
"zeek_bacnet_discovery.object_type": { "type": "keyword" },
"zeek_bacnet_discovery.instance_number": { "type": "integer" },
"zeek_bacnet_discovery.vendor": { "type": "keyword" },
"zeek_bacnet_discovery.range": { "type": "keyword" },
"zeek_bacnet_discovery.range_low": { "type": "integer" },
"zeek_bacnet_discovery.range_high": { "type": "integer" },
"zeek_bacnet_discovery.object_name": { "type": "keyword" },
"zeek_bacnet_property.pdu_service": { "type": "keyword" },
"zeek_bacnet_property.object_type": { "type": "keyword" },
"zeek_bacnet_property.instance_number": { "type": "integer" },
"zeek_bacnet_property.property": { "type": "keyword" },
"zeek_bacnet_property.array_index": { "type": "integer" },
"zeek_bacnet_property.value": { "type": "keyword" },
"zeek_bestguess.name": { "type": "keyword" },
"zeek_bestguess.category": { "type": "keyword" },
"zeek_bsap_ip_header.num_msg": { "type": "keyword" },
"zeek_bsap_ip_header.type_name": { "type": "integer" },
"zeek_bsap_ip_rdb.app_func_code": { "type": "keyword" },
"zeek_bsap_ip_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_ip_rdb.data_len": { "type": "integer" },
"zeek_bsap_ip_rdb.func_code": { "type": "keyword" },
"zeek_bsap_ip_rdb.header_size": { "type": "integer" },
"zeek_bsap_ip_rdb.mes_seq": { "type": "integer" },
"zeek_bsap_ip_rdb.node_status": { "type": "integer" },
"zeek_bsap_ip_rdb.res_seq": { "type": "integer" },
"zeek_bsap_ip_rdb.sequence": { "type": "integer" },
"zeek_bsap_ip_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_header.ctl": { "type": "integer" },
"zeek_bsap_serial_header.dadd": { "type": "integer" },
"zeek_bsap_serial_header.dfun": { "type": "keyword" },
"zeek_bsap_serial_header.nsb": { "type": "integer" },
"zeek_bsap_serial_header.sadd": { "type": "integer" },
"zeek_bsap_serial_header.seq": { "type": "integer" },
"zeek_bsap_serial_header.ser": { "type": "keyword" },
"zeek_bsap_serial_header.sfun": { "type": "keyword" },
"zeek_bsap_serial_header.type_name": { "type": "keyword" },
"zeek_bsap_serial_rdb.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_rdb.func_code": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_bsap_serial_rdb_ext.dfun": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.extfun": { "type": "keyword" },
"zeek_bsap_serial_rdb_ext.nsb": { "type": "integer" },
"zeek_bsap_serial_rdb_ext.seq": { "type": "integer" },
"zeek_bsap_serial_rdb_ext.sfun": { "type": "keyword" },
"zeek_bsap_serial_unknown.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip.cip_sequence_count": { "type": "integer" },
"zeek_cip.direction": { "type": "keyword" },
"zeek_cip.cip_service": { "type": "keyword" },
"zeek_cip.cip_status": { "type": "keyword" },
"zeek_cip.class_id": { "type": "keyword" },
"zeek_cip.class_name": { "type": "keyword" },
"zeek_cip.instance_id": { "type": "keyword" },
"zeek_cip.attribute_id": { "type": "keyword" },
"zeek_cip.data_id": { "type": "keyword" },
"zeek_cip.other_id": { "type": "keyword" },
"zeek_cip_identity.encapsulation_version": { "type": "integer" },
"zeek_cip_identity.socket_address": { "type": "ip" },
"zeek_cip_identity.socket_address_asn": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.city_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip_identity.socket_address_geo.continent_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_code2": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_code3": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.country_name": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_cip_identity.socket_address_geo.dma_code": { "type": "short" },
"zeek_cip_identity.socket_address_geo.ip": { "type": "ip" },
"zeek_cip_identity.socket_address_geo.latitude": { "type": "float" },
"zeek_cip_identity.socket_address_geo.location": { "type": "geo_point" },
"zeek_cip_identity.socket_address_geo.longitude": { "type": "float" },
"zeek_cip_identity.socket_address_geo.postal_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.region_code": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.region_name": { "type": "keyword" },
"zeek_cip_identity.socket_address_geo.timezone": { "type": "keyword" },
"zeek_cip_identity.socket_port": { "type": "integer" },
"zeek_cip_identity.vendor_id": { "type": "integer" },
"zeek_cip_identity.vendor_name": { "type": "keyword" },
"zeek_cip_identity.device_type_id": { "type": "integer" },
"zeek_cip_identity.device_type_name": { "type": "keyword" },
"zeek_cip_identity.product_code": { "type": "integer" },
"zeek_cip_identity.revision": { "type": "keyword" },
"zeek_cip_identity.device_status": { "type": "keyword" },
"zeek_cip_identity.serial_number": { "type": "keyword" },
"zeek_cip_identity.product_name": { "type": "keyword" },
"zeek_cip_identity.device_state": { "type": "keyword" },
"zeek_cip_io.connection_id": { "type": "keyword" },
"zeek_cip_io.sequence_number": { "type": "integer" },
"zeek_cip_io.data_length": { "type": "integer" },
"zeek_cip_io.io_data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_conn.conn_state": { "type": "keyword" },
"zeek_conn.conn_state_description": { "type": "keyword" },
"zeek_conn.duration": { "type": "float" },
"zeek_conn.history": { "type": "keyword" },
"zeek_conn.inner_vlan": { "type": "integer" },
"zeek_conn.local_orig": { "type": "keyword" },
"zeek_conn.local_resp": { "type": "keyword" },
"zeek_conn.missed_bytes": { "type": "long" },
"zeek_conn.orig_bytes": { "type": "long" },
"zeek_conn.orig_ip_bytes": { "type": "long" },
"zeek_conn.orig_pkts": { "type": "integer" },
"zeek_conn.resp_bytes": { "type": "long" },
"zeek_conn.resp_ip_bytes": { "type": "long" },
"zeek_conn.resp_pkts": { "type": "integer" },
"zeek_conn.tunnel_parents": { "type": "keyword" },
"zeek_conn.vlan": { "type": "integer" },
"zeek_dce_rpc.endpoint": { "type": "keyword" },
"zeek_dce_rpc.named_pipe": { "type": "keyword" },
"zeek_dce_rpc.operation": { "type": "keyword" },
"zeek_dce_rpc.rtt": { "type": "float" },
"zeek_dhcp.assigned_ip": { "type": "ip" },
"zeek_dhcp.client_fqdn": { "type": "keyword" },
"zeek_dhcp.client_message": { "type": "keyword" },
"zeek_dhcp.client_software": { "type": "keyword" },
"zeek_dhcp.domain": { "type": "keyword" },
"zeek_dhcp.duration": { "type": "float" },
"zeek_dhcp.host_name": { "type": "keyword" },
"zeek_dhcp.lease_time": { "type": "float" },
"zeek_dhcp.mac": { "type": "keyword" },
"zeek_dhcp.msg_types": { "type": "keyword" },
"zeek_dhcp.requested_ip": { "type": "ip" },
"zeek_dhcp.server_message": { "type": "keyword" },
"zeek_dhcp.server_software": { "type": "keyword" },
"zeek_dhcp.trans_id": { "type": "keyword" },
"zeek_dnp3.fc_reply": { "type": "keyword" },
"zeek_dnp3.fc_request": { "type": "keyword" },
"zeek_dnp3.iin": { "type": "keyword" },
"zeek_dnp3.iin_flags": { "type": "keyword" },
"zeek_dnp3_control.block_type": { "type": "keyword" },
"zeek_dnp3_control.function_code": { "type": "keyword" },
"zeek_dnp3_control.index_number": { "type": "integer" },
"zeek_dnp3_control.trip_control_code": { "type": "keyword" },
"zeek_dnp3_control.operation_type": { "type": "keyword" },
"zeek_dnp3_control.execute_count": { "type": "integer" },
"zeek_dnp3_control.on_time": { "type": "integer" },
"zeek_dnp3_control.off_time": { "type": "integer" },
"zeek_dnp3_control.status_code": { "type": "keyword" },
"zeek_dnp3_objects.function_code": { "type": "keyword" },
"zeek_dnp3_objects.object_type": { "type": "keyword" },
"zeek_dnp3_objects.object_count": { "type": "integer" },
"zeek_dnp3_objects.range_low": { "type": "integer" },
"zeek_dnp3_objects.range_high": { "type": "integer" },
"zeek_dns.AA": { "type": "keyword" },
"zeek_dns.answers": { "type": "keyword" },
"zeek_dns.qclass": { "type": "keyword" },
"zeek_dns.qclass_name": { "type": "keyword" },
"zeek_dns.qtype": { "type": "keyword" },
"zeek_dns.qtype_name": { "type": "keyword" },
"zeek_dns.query": { "type": "keyword" },
"zeek_dns.RA": { "type": "keyword" },
"zeek_dns.rcode": { "type": "short" },
"zeek_dns.rcode_name": { "type": "keyword" },
"zeek_dns.RD": { "type": "keyword" },
"zeek_dns.rejected": { "type": "keyword" },
"zeek_dns.rtt": { "type": "float" },
"zeek_dns.TC": { "type": "keyword" },
"zeek_dns.trans_id": { "type": "keyword" },
"zeek_dns.TTLs": { "type": "float" },
"zeek_dns.Z": { "type": "keyword" },
"zeek_dpd.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_dpd.service": { "type": "keyword" },
"zeek_ecat_aoe_info.command": { "type": "keyword" },
"zeek_ecat_aoe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_aoe_info.orig_port": { "type": "keyword" },
"zeek_ecat_aoe_info.resp_port": { "type": "keyword" },
"zeek_ecat_aoe_info.state": { "type": "keyword" },
"zeek_ecat_arp_info.arp_type": { "type": "keyword" },
"zeek_ecat_arp_info.orig_hw_addr": { "type": "keyword" },
"zeek_ecat_arp_info.orig_proto_addr": { "type": "keyword" },
"zeek_ecat_arp_info.resp_hw_addr": { "type": "keyword" },
"zeek_ecat_arp_info.resp_proto_addr": { "type": "keyword" },
"zeek_ecat_coe_info.dataoffset": { "type": "keyword" },
"zeek_ecat_coe_info.index": { "type": "keyword" },
"zeek_ecat_coe_info.number": { "type": "keyword" },
"zeek_ecat_coe_info.req_resp": { "type": "keyword" },
"zeek_ecat_coe_info.subindex": { "type": "keyword" },
"zeek_ecat_coe_info.type": { "type": "keyword" },
"zeek_ecat_dev_info.build": { "type": "keyword" },
"zeek_ecat_dev_info.dev_type": { "type": "keyword" },
"zeek_ecat_dev_info.dpram": { "type": "keyword" },
"zeek_ecat_dev_info.features": { "type": "keyword" },
"zeek_ecat_dev_info.fmmucnt": { "type": "keyword" },
"zeek_ecat_dev_info.ports": { "type": "keyword" },
"zeek_ecat_dev_info.revision": { "type": "keyword" },
"zeek_ecat_dev_info.slave_id": { "type": "keyword" },
"zeek_ecat_dev_info.smcount": { "type": "keyword" },
"zeek_ecat_foe_info.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_foe_info.error_code": { "type": "keyword" },
"zeek_ecat_foe_info.filename": { "type": "keyword" },
"zeek_ecat_foe_info.opcode": { "type": "keyword" },
"zeek_ecat_foe_info.packet_num": { "type": "keyword" },
"zeek_ecat_foe_info.reserved": { "type": "keyword" },
"zeek_ecat_log_address.command": { "type": "keyword" },
"zeek_ecat_log_address.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_log_address.length": { "type": "integer" },
"zeek_ecat_log_address.log_addr": { "type": "keyword" },
"zeek_ecat_registers.command": { "type": "keyword" },
"zeek_ecat_registers.data": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ecat_registers.register_addr": { "type": "keyword" },
"zeek_ecat_registers.register_type": { "type": "keyword" },
"zeek_ecat_registers.slave_addr": { "type": "keyword" },
"zeek_ecat_soe_info.drive_num": { "type": "keyword" },
"zeek_ecat_soe_info.element": { "type": "keyword" },
"zeek_ecat_soe_info.error": { "type": "keyword" },
"zeek_ecat_soe_info.incomplete": { "type": "keyword" },
"zeek_ecat_soe_info.index": { "type": "keyword" },
"zeek_ecat_soe_info.opcode": { "type": "keyword" },
"zeek_enip.enip_command": { "type": "keyword" },
"zeek_enip.length": { "type": "integer" },
"zeek_enip.session_handle": { "type": "keyword" },
"zeek_enip.enip_status": { "type": "keyword" },
"zeek_enip.sender_context": { "type": "keyword" },
"zeek_enip.options": { "type": "keyword" },
"zeek_files.analyzers": { "type": "keyword" },
"zeek_files.conn_uids": { "type": "keyword" },
"zeek_files.depth": { "type": "integer" },
"zeek_files.duration": { "type": "float" },
"zeek_files.extracted": { "type": "keyword" },
"zeek_files.extracted_cutoff": { "type": "keyword" },
"zeek_files.extracted_size": { "type": "integer" },
"zeek_files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_files.is_orig": { "type": "keyword" },
"zeek_files.local_orig": { "type": "keyword" },
"zeek_files.md5": { "type": "keyword" },
"zeek_files.mime_type": { "type": "keyword" },
"zeek_files.missing_bytes": { "type": "long" },
"zeek_files.overflow_bytes": { "type": "long" },
"zeek_files.parent_fuid": { "type": "keyword" },
"zeek_files.rx_hosts": { "type": "ip" },
"zeek_files.seen_bytes": { "type": "long" },
"zeek_files.sha1": { "type": "keyword" },
"zeek_files.sha256": { "type": "keyword" },
"zeek_files.source": { "type": "keyword" },
"zeek_files.timedout": { "type": "keyword" },
"zeek_files.total_bytes": { "type": "long" },
"zeek_files.tx_hosts": { "type": "ip" },
"zeek_ftp.arg": { "type": "keyword" },
"zeek_ftp.command": { "type": "keyword" },
"zeek_ftp.data_channel_orig_h": { "type": "ip" },
"zeek_ftp.data_channel_passive": { "type": "keyword" },
"zeek_ftp.data_channel_resp_h": { "type": "ip" },
"zeek_ftp.data_channel_resp_p": { "type": "integer" },
"zeek_ftp.file_size": { "type": "long" },
"zeek_ftp.mime_type": { "type": "keyword" },
"zeek_ftp.reply_code": { "type": "short" },
"zeek_ftp.reply_msg": { "type": "keyword" },
"zeek_gquic.cyu": { "type": "keyword" },
"zeek_gquic.cyutags": { "type": "keyword" },
"zeek_gquic.server_name": { "type": "keyword" },
"zeek_gquic.tag_count": { "type": "integer" },
"zeek_gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_gquic.version": { "type": "keyword" },
"zeek_http.host": { "type": "keyword" },
"zeek_http.info_code": { "type": "short" },
"zeek_http.info_msg": { "type": "keyword" },
"zeek_http.method": { "type": "keyword" },
"zeek_http.orig_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_http.orig_fuids": { "type": "keyword" },
"zeek_http.orig_mime_types": { "type": "keyword" },
"zeek_http.origin": { "type": "keyword" },
"zeek_http.post_password_plain": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.post_username": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.proxied": { "type": "keyword" },
"zeek_http.referrer": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_http.request_body_len": { "type": "long" },
"zeek_http.resp_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_http.resp_fuids": { "type": "keyword" },
"zeek_http.resp_mime_types": { "type": "keyword" },
"zeek_http.response_body_len": { "type": "long" },
"zeek_http.status_code": { "type": "short" },
"zeek_http.status_msg": { "type": "keyword", "ignore_above": 1024 },
"zeek_http.tags": { "type": "keyword" },
"zeek_http.trans_depth": { "type": "integer" },
"zeek_http.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_http.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_http.version": { "type": "keyword" },
"zeek_intel.file_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_intel.file_mime_type": { "type": "keyword" },
"zeek_intel.indicator": { "type": "keyword" },
"zeek_intel.indicator_type": { "type": "keyword" },
"zeek_intel.matched": { "type": "keyword" },
"zeek_intel.seen_node": { "type": "keyword" },
"zeek_intel.seen_where": { "type": "keyword" },
"zeek_intel.sources": { "type": "keyword" },
"zeek_ipsec.is_orig": { "type": "keyword" },
"zeek_ipsec.initiator_spi": { "type": "keyword" },
"zeek_ipsec.responder_spi": { "type": "keyword" },
"zeek_ipsec.maj_ver": { "type": "integer" },
"zeek_ipsec.min_ver": { "type": "integer" },
"zeek_ipsec.exchange_type": { "type": "integer" },
"zeek_ipsec.flag_e": { "type": "keyword" },
"zeek_ipsec.flag_c": { "type": "keyword" },
"zeek_ipsec.flag_a": { "type": "keyword" },
"zeek_ipsec.flag_i": { "type": "keyword" },
"zeek_ipsec.flag_v": { "type": "keyword" },
"zeek_ipsec.flag_r": { "type": "keyword" },
"zeek_ipsec.flags": { "type": "keyword" },
"zeek_ipsec.message_id": { "type": "keyword" },
"zeek_ipsec.vendor_ids": { "type": "keyword" },
"zeek_ipsec.notify_messages": { "type": "keyword" },
"zeek_ipsec.transforms": { "type": "keyword" },
"zeek_ipsec.ke_dh_groups": { "type": "integer" },
"zeek_ipsec.proposals": { "type": "integer" },
"zeek_ipsec.certificates": { "type": "keyword" },
"zeek_ipsec.transform_attributes": { "type": "keyword" },
"zeek_ipsec.length": { "type": "integer" },
"zeek_ipsec.hash": { "type": "keyword" },
"zeek_irc.addl": { "type": "keyword" },
"zeek_irc.command": { "type": "keyword" },
"zeek_irc.dcc_file_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_irc.dcc_file_size": { "type": "long" },
"zeek_irc.dcc_mime_type": { "type": "keyword" },
"zeek_irc.nick": { "type": "keyword" },
"zeek_irc.value": { "type": "keyword" },
"zeek_iso_cotp.pdu_type": { "type": "keyword" },
"zeek_kerberos.cipher": { "type": "keyword" },
"zeek_kerberos.client_cert_fuid": { "type": "keyword" },
"zeek_kerberos.client_cert_subject": { "type": "keyword" },
"zeek_kerberos.cname": { "type": "keyword" },
"zeek_kerberos.error_msg": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_kerberos.forwardable": { "type": "keyword" },
"zeek_kerberos.from": { "type": "date" },
"zeek_kerberos.renewable": { "type": "keyword" },
"zeek_kerberos.request_type": { "type": "keyword" },
"zeek_kerberos.server_cert_fuid": { "type": "keyword" },
"zeek_kerberos.server_cert_subject": { "type": "keyword" },
"zeek_kerberos.sname": { "type": "keyword" },
"zeek_kerberos.success": { "type": "keyword" },
"zeek_kerberos.till": { "type": "date" },
"zeek_known_certs.issuer_subject": { "type": "keyword" },
"zeek_known_certs.serial": { "type": "keyword" },
"zeek_known_certs.subject": { "type": "keyword" },
"zeek_known_modbus.device_type": { "type": "keyword" },
"zeek_ldap.message_id": { "type": "keyword" },
"zeek_ldap.version": { "type": "integer" },
"zeek_ldap.operation": { "type": "keyword" },
"zeek_ldap.result_code": { "type": "keyword" },
"zeek_ldap.result_message": { "type": "keyword" },
"zeek_ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap_search.message_id": { "type": "keyword" },
"zeek_ldap_search.scope": { "type": "keyword" },
"zeek_ldap_search.deref": { "type": "keyword" },
"zeek_ldap_search.base_object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ldap_search.result_count": { "type": "integer" },
"zeek_ldap_search.result_code": { "type": "keyword" },
"zeek_ldap_search.result_message": { "type": "keyword" },
"zeek_login.client_user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_login.confused": { "type": "keyword" },
"zeek_login.success": { "type": "keyword" },
"zeek_modbus.exception": { "type": "keyword" },
"zeek_modbus.func": { "type": "keyword" },
"zeek_modbus_detailed.unit_id": { "type": "integer" },
"zeek_modbus_detailed.func": { "type": "keyword" },
"zeek_modbus_detailed.network_direction": { "type": "keyword" },
"zeek_modbus_detailed.address": { "type": "integer" },
"zeek_modbus_detailed.quantity": { "type": "integer" },
"zeek_modbus_detailed.values": { "type": "keyword" },
"zeek_modbus_mask_write_register.unit_id": { "type": "integer" },
"zeek_modbus_mask_write_register.func": { "type": "keyword" },
"zeek_modbus_mask_write_register.network_direction": { "type": "keyword" },
"zeek_modbus_mask_write_register.address": { "type": "integer" },
"zeek_modbus_mask_write_register.and_mask": { "type": "integer" },
"zeek_modbus_mask_write_register.or_mask": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.unit_id": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.func": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.network_direction": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.write_start_address": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.write_registers": { "type": "keyword" },
"zeek_modbus_read_write_multiple_registers.read_start_address": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.read_quantity": { "type": "integer" },
"zeek_modbus_read_write_multiple_registers.read_registers": { "type": "keyword" },
"zeek_modbus_register_change.delta": { "type": "float" },
"zeek_modbus_register_change.new_val": { "type": "integer" },
"zeek_modbus_register_change.old_val": { "type": "integer" },
"zeek_modbus_register_change.register": { "type": "integer" },
"zeek_mqtt_connect.client_id": { "type": "keyword" },
"zeek_mqtt_connect.connect_status": { "type": "keyword" },
"zeek_mqtt_connect.proto_name": { "type": "keyword" },
"zeek_mqtt_connect.proto_version": { "type": "keyword" },
"zeek_mqtt_connect.will_payload": { "type": "keyword" },
"zeek_mqtt_connect.will_topic": { "type": "keyword" },
"zeek_mqtt_publish.from_client": { "type": "keyword" },
"zeek_mqtt_publish.payload": { "type": "keyword" },
"zeek_mqtt_publish.payload_len": { "type": "integer" },
"zeek_mqtt_publish.qos": { "type": "keyword" },
"zeek_mqtt_publish.retain": { "type": "keyword" },
"zeek_mqtt_publish.status": { "type": "keyword" },
"zeek_mqtt_publish.topic": { "type": "keyword" },
"zeek_mqtt_subscribe.ack": { "type": "keyword" },
"zeek_mqtt_subscribe.action": { "type": "keyword" },
"zeek_mqtt_subscribe.granted_qos_level": { "type": "integer" },
"zeek_mqtt_subscribe.qos_levels": { "type": "integer" },
"zeek_mqtt_subscribe.topics": { "type": "keyword" },
"zeek_mysql.arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_mysql.cmd": { "type": "keyword" },
"zeek_mysql.response": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_mysql.rows": { "type": "integer" },
"zeek_mysql.success": { "type": "keyword" },
"zeek_noise.msg_type": { "type": "keyword" },
"zeek_noise.sender": { "type": "keyword" },
"zeek_noise.receiver": { "type": "keyword" },
"zeek_noise.unenc_ephemeral": { "type": "keyword" },
"zeek_noise.enc_static": { "type": "keyword" },
"zeek_noise.enc_timestamp": { "type": "keyword" },
"zeek_noise.enc_nothing": { "type": "keyword" },
"zeek_noise.nonce": { "type": "keyword" },
"zeek_noise.enc_cookie": { "type": "keyword" },
"zeek_noise.mac1": { "type": "keyword" },
"zeek_noise.mac2": { "type": "keyword" },
"zeek_noise.enc_payload_len": { "type": "integer" },
"zeek_noise.enc_payload": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.actions": { "type": "keyword" },
"zeek_notice.category": { "type": "keyword" },
"zeek_notice.dropped": { "type": "keyword" },
"zeek_notice.dst": { "type": "ip" },
"zeek_notice.file_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.file_mime_type": { "type": "keyword" },
"zeek_notice.msg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_notice.n": { "type": "integer" },
"zeek_notice.note": { "type": "keyword" },
"zeek_notice.p": { "type": "integer" },
"zeek_notice.peer_descr": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_notice.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_notice.remote_location_country_code": { "type": "keyword" },
"zeek_notice.remote_location_latitude": { "type": "float" },
"zeek_notice.remote_location_longitude": { "type": "float" },
"zeek_notice.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_notice.src": { "type": "ip" },
"zeek_notice.sub": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_notice.sub_category": { "type": "keyword" },
"zeek_notice.suppress_for": { "type": "float" },
"zeek_ntlm.domain": { "type": "keyword" },
"zeek_ntlm.host": { "type": "keyword" },
"zeek_ntlm.server_dns_computer": { "type": "keyword" },
"zeek_ntlm.server_nb_computer": { "type": "keyword" },
"zeek_ntlm.server_tree": { "type": "keyword" },
"zeek_ntlm.status": { "type": "keyword" },
"zeek_ntlm.success": { "type": "keyword" },
"zeek_ntp.mode": { "type": "keyword" },
"zeek_ntp.mode_str": { "type": "keyword" },
"zeek_ntp.num_exts": { "type": "integer" },
"zeek_ntp.org_time": { "type": "date" },
"zeek_ntp.poll": { "type": "float" },
"zeek_ntp.precision": { "type": "float" },
"zeek_ntp.rec_time": { "type": "date" },
"zeek_ntp.ref_id": { "type": "keyword" },
"zeek_ntp.ref_time": { "type": "date" },
"zeek_ntp.root_delay": { "type": "float" },
"zeek_ntp.root_disp": { "type": "float" },
"zeek_ntp.stratum": { "type": "keyword" },
"zeek_ntp.version": { "type": "integer" },
"zeek_ntp.xmt_time": { "type": "date" },
"zeek_pe.compile_ts": { "type": "date" },
"zeek_pe.has_cert_table": { "type": "keyword" },
"zeek_pe.has_debug_data": { "type": "keyword" },
"zeek_pe.has_export_table": { "type": "keyword" },
"zeek_pe.has_import_table": { "type": "keyword" },
"zeek_pe.is_64bit": { "type": "keyword" },
"zeek_pe.is_exe": { "type": "keyword" },
"zeek_pe.machine": { "type": "keyword" },
"zeek_pe.os": { "type": "keyword" },
"zeek_pe.section_names": { "type": "keyword" },
"zeek_pe.subsystem": { "type": "keyword" },
"zeek_pe.uses_aslr": { "type": "keyword" },
"zeek_pe.uses_code_integrity": { "type": "keyword" },
"zeek_pe.uses_dep": { "type": "keyword" },
"zeek_pe.uses_seh": { "type": "keyword" },
"zeek_profinet.block_version": { "type": "keyword" },
"zeek_profinet.index": { "type": "keyword" },
"zeek_profinet.operation_type": { "type": "keyword" },
"zeek_profinet.slot_number": { "type": "integer" },
"zeek_profinet.subslot_number": { "type": "integer" },
"zeek_profinet_dce_rpc.activity_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.interface_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.object_uuid": { "type": "keyword" },
"zeek_profinet_dce_rpc.operation": { "type": "keyword" },
"zeek_profinet_dce_rpc.packet_type": { "type": "keyword" },
"zeek_profinet_dce_rpc.server_boot_time": { "type": "integer" },
"zeek_profinet_dce_rpc.version": { "type": "integer" },
"zeek_radius.connect_info": { "type": "keyword" },
"zeek_radius.framed_addr": { "type": "ip" },
"zeek_radius.mac": { "type": "keyword" },
"zeek_radius.reply_msg": { "type": "keyword" },
"zeek_radius.result": { "type": "keyword" },
"zeek_radius.ttl": { "type": "float" },
"zeek_radius.tunnel_client": { "type": "keyword" },
"zeek_rdp.cert_count": { "type": "integer" },
"zeek_rdp.cert_permanent": { "type": "keyword" },
"zeek_rdp.cert_type": { "type": "keyword" },
"zeek_rdp.client_build": { "type": "keyword" },
"zeek_rdp.client_channels": { "type": "keyword" },
"zeek_rdp.client_dig_product_id": { "type": "keyword" },
"zeek_rdp.client_name": { "type": "keyword" },
"zeek_rdp.cookie": { "type": "keyword" },
"zeek_rdp.desktop_height": { "type": "integer" },
"zeek_rdp.desktop_width": { "type": "integer" },
"zeek_rdp.encryption_level": { "type": "keyword" },
"zeek_rdp.encryption_method": { "type": "keyword" },
"zeek_rdp.keyboard_layout": { "type": "keyword" },
"zeek_rdp.requested_color_depth": { "type": "keyword" },
"zeek_rdp.result": { "type": "keyword" },
"zeek_rdp.security_protocol": { "type": "keyword" },
"zeek_rfb.auth": { "type": "keyword" },
"zeek_rfb.authentication_method": { "type": "keyword" },
"zeek_rfb.client_major_version": { "type": "keyword" },
"zeek_rfb.client_minor_version": { "type": "keyword" },
"zeek_rfb.desktop_name": { "type": "keyword" },
"zeek_rfb.height": { "type": "integer" },
"zeek_rfb.server_major_version": { "type": "keyword" },
"zeek_rfb.server_minor_version": { "type": "keyword" },
"zeek_rfb.share_flag": { "type": "keyword" },
"zeek_rfb.width": { "type": "integer" },
"zeek_s7comm.data_info": { "type": "keyword" },
"zeek_s7comm.item_count": { "type": "integer" },
"zeek_s7comm.parameter": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_s7comm.parameters.class": { "type": "keyword" },
"zeek_s7comm.parameters.code": { "type": "keyword" },
"zeek_s7comm.parameters.group": { "type": "keyword" },
"zeek_s7comm.parameters.mode": { "type": "keyword" },
"zeek_s7comm.parameters.sub": { "type": "keyword" },
"zeek_s7comm.parameters.type": { "type": "keyword" },
"zeek_s7comm.rosctr": { "type": "keyword" },
"zeek_signatures.engine": { "type": "keyword" },
"zeek_signatures.event_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_signatures.hits": { "type": "nested" },
"zeek_signatures.host_count": { "type": "integer" },
"zeek_signatures.note": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_signatures.signature_count": { "type": "integer" },
"zeek_signatures.signature_id": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_signatures.sub_message": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_sip.call_id": { "type": "keyword" },
"zeek_sip.content_type": { "type": "keyword" },
"zeek_sip.date": { "type": "keyword" },
"zeek_sip.method": { "type": "keyword" },
"zeek_sip.reply_to": { "type": "keyword" },
"zeek_sip.request_body_len": { "type": "integer" },
"zeek_sip.request_from": { "type": "keyword" },
"zeek_sip.request_path": { "type": "keyword" },
"zeek_sip.request_to": { "type": "keyword" },
"zeek_sip.response_body_len": { "type": "integer" },
"zeek_sip.response_from": { "type": "keyword" },
"zeek_sip.response_path": { "type": "keyword" },
"zeek_sip.response_to": { "type": "keyword" },
"zeek_sip.seq": { "type": "keyword" },
"zeek_sip.status_code": { "type": "short" },
"zeek_sip.status_msg": { "type": "keyword" },
"zeek_sip.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_sip.trans_depth": { "type": "integer" },
"zeek_sip.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_sip.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_sip.version": { "type": "keyword" },
"zeek_sip.warning": { "type": "keyword" },
"zeek_smb_cmd.argument": { "type": "keyword" },
"zeek_smb_cmd.command": { "type": "keyword" },
"zeek_smb_cmd.rtt": { "type": "float" },
"zeek_smb_cmd.status": { "type": "keyword" },
"zeek_smb_cmd.sub_command": { "type": "keyword" },
"zeek_smb_cmd.tree": { "type": "keyword" },
"zeek_smb_cmd.tree_service": { "type": "keyword" },
"zeek_smb_cmd.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_smb_cmd.version": { "type": "keyword" },
"zeek_smb_files.action": { "type": "keyword" },
"zeek_smb_files.data_len_req": { "type": "long" },
"zeek_smb_files.data_len_rsp": { "type": "long" },
"zeek_smb_files.data_offset_req": { "type": "long" },
"zeek_smb_files.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.prev_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_files.size": { "type": "long" },
"zeek_smb_files.times_accessed": { "type": "date" },
"zeek_smb_files.times_changed": { "type": "date" },
"zeek_smb_files.times_created": { "type": "date" },
"zeek_smb_files.times_modified": { "type": "date" },
"zeek_smb_files.ts": { "type": "date" },
"zeek_smb_mapping.native_file_system": { "type": "keyword" },
"zeek_smb_mapping.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smb_mapping.resource_type": { "type": "keyword" },
"zeek_smb_mapping.share_type": { "type": "keyword" },
"zeek_smtp.cc": { "type": "keyword" },
"zeek_smtp.date": { "type": "keyword" },
"zeek_smtp.first_received": { "type": "keyword" },
"zeek_smtp.from": { "type": "keyword" },
"zeek_smtp.helo": { "type": "keyword" },
"zeek_smtp.in_reply_to": { "type": "keyword" },
"zeek_smtp.is_webmail": { "type": "keyword" },
"zeek_smtp.last_reply": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smtp.last_reply_code": { "type": "keyword" },
"zeek_smtp.last_reply_msg": { "type": "keyword" },
"zeek_smtp.mailfrom": { "type": "keyword" },
"zeek_smtp.msg_id": { "type": "keyword" },
"zeek_smtp.path": { "type": "ip" },
"zeek_smtp.rcptto": { "type": "keyword" },
"zeek_smtp.reply_to": { "type": "keyword" },
"zeek_smtp.second_received": { "type": "keyword" },
"zeek_smtp.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_smtp.tls": { "type": "keyword" },
"zeek_smtp.to": { "type": "keyword" },
"zeek_smtp.trans_depth": { "type": "integer" },
"zeek_smtp.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_smtp.x_originating_ip": { "type": "ip" },
"zeek_snmp.community": { "type": "keyword" },
"zeek_snmp.display_string": { "type": "keyword" },
"zeek_snmp.duration": { "type": "float" },
"zeek_snmp.get_bulk_requests": { "type": "integer" },
"zeek_snmp.get_requests": { "type": "integer" },
"zeek_snmp.get_responses": { "type": "integer" },
"zeek_snmp.set_requests": { "type": "integer" },
"zeek_snmp.up_since": { "type": "date" },
"zeek_snmp.version": { "type": "keyword" },
"zeek_socks.bound_host": { "type": "ip" },
"zeek_socks.bound_name": { "type": "keyword" },
"zeek_socks.bound_port": { "type": "integer" },
"zeek_socks.request_host": { "type": "ip" },
"zeek_socks.request_name": { "type": "keyword" },
"zeek_socks.request_port": { "type": "integer" },
"zeek_socks.server_status": { "type": "keyword" },
"zeek_socks.version": { "type": "integer" },
"zeek_software.name": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek_software.software_type": { "type": "keyword" },
"zeek_software.unparsed_version": { "type": "keyword", "ignore_above": 1024 },
"zeek_software.version_addl": { "type": "keyword", "ignore_above": 1024 },
"zeek_software.version_major": { "type": "integer" },
"zeek_software.version_minor": { "type": "integer" },
"zeek_software.version_minor2": { "type": "integer" },
"zeek_software.version_minor3": { "type": "integer" },
"zeek_ssh.auth_attempts": { "type": "integer" },
"zeek_ssh.auth_success": { "type": "keyword" },
"zeek_ssh.cipher_alg": { "type": "keyword" },
"zeek_ssh.client": { "type": "keyword" },
"zeek_ssh.compression_alg": { "type": "keyword" },
"zeek_ssh.cshka": { "type": "keyword" },
"zeek_ssh.direction": { "type": "keyword" },
"zeek_ssh.hassh": { "type": "keyword" },
"zeek_ssh.hasshAlgorithms": { "type": "keyword" },
"zeek_ssh.hasshServer": { "type": "keyword" },
"zeek_ssh.hasshServerAlgorithms": { "type": "keyword" },
"zeek_ssh.hasshVersion": { "type": "keyword" },
"zeek_ssh.host_key": { "type": "keyword" },
"zeek_ssh.host_key_alg": { "type": "keyword" },
"zeek_ssh.kex_alg": { "type": "keyword" },
"zeek_ssh.mac_alg": { "type": "keyword" },
"zeek_ssh.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ssh.remote_location_country_code": { "type": "keyword" },
"zeek_ssh.remote_location_latitude": { "type": "float" },
"zeek_ssh.remote_location_longitude": { "type": "float" },
"zeek_ssh.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek_ssh.server": { "type": "keyword" },
"zeek_ssh.sshka": { "type": "keyword" },
"zeek_ssh.version": { "type": "integer" },
"zeek_ssl.cert_chain_fuids": { "type": "keyword" },
"zeek_ssl.cipher": { "type": "keyword" },
"zeek_ssl.client_cert_chain_fuids": { "type": "keyword" },
"zeek_ssl.client_issuer.C": { "type": "keyword" },
"zeek_ssl.client_issuer.CN": { "type": "keyword" },
"zeek_ssl.client_issuer.DC": { "type": "keyword" },
"zeek_ssl.client_issuer.emailAddress": { "type": "keyword" },
"zeek_ssl.client_issuer.GN": { "type": "keyword" },
"zeek_ssl.client_issuer.initials": { "type": "keyword" },
"zeek_ssl.client_issuer.L": { "type": "keyword" },
"zeek_ssl.client_issuer.O": { "type": "keyword" },
"zeek_ssl.client_issuer.OU": { "type": "keyword" },
"zeek_ssl.client_issuer.pseudonym": { "type": "keyword" },
"zeek_ssl.client_issuer.serialNumber": { "type": "keyword" },
"zeek_ssl.client_issuer.SN": { "type": "keyword" },
"zeek_ssl.client_issuer.ST": { "type": "keyword" },
"zeek_ssl.client_issuer.title": { "type": "keyword" },
"zeek_ssl.client_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.client_subject.C": { "type": "keyword" },
"zeek_ssl.client_subject.CN": { "type": "keyword" },
"zeek_ssl.client_subject.emailAddress": { "type": "keyword" },
"zeek_ssl.client_subject.GN": { "type": "keyword" },
"zeek_ssl.client_subject.initials": { "type": "keyword" },
"zeek_ssl.client_subject.L": { "type": "keyword" },
"zeek_ssl.client_subject.O": { "type": "keyword" },
"zeek_ssl.client_subject.OU": { "type": "keyword" },
"zeek_ssl.client_subject.pseudonym": { "type": "keyword" },
"zeek_ssl.client_subject.serialNumber": { "type": "keyword" },
"zeek_ssl.client_subject.SN": { "type": "keyword" },
"zeek_ssl.client_subject.ST": { "type": "keyword" },
"zeek_ssl.client_subject.title": { "type": "keyword" },
"zeek_ssl.client_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.curve": { "type": "keyword" },
"zeek_ssl.established": { "type": "keyword" },
"zeek_ssl.issuer.C": { "type": "keyword" },
"zeek_ssl.issuer.CN": { "type": "keyword" },
"zeek_ssl.issuer.DC": { "type": "keyword" },
"zeek_ssl.issuer.emailAddress": { "type": "keyword" },
"zeek_ssl.issuer.GN": { "type": "keyword" },
"zeek_ssl.issuer.initials": { "type": "keyword" },
"zeek_ssl.issuer.L": { "type": "keyword" },
"zeek_ssl.issuer.O": { "type": "keyword" },
"zeek_ssl.issuer.OU": { "type": "keyword" },
"zeek_ssl.issuer.pseudonym": { "type": "keyword" },
"zeek_ssl.issuer.serialNumber": { "type": "keyword" },
"zeek_ssl.issuer.SN": { "type": "keyword" },
"zeek_ssl.issuer.ST": { "type": "keyword" },
"zeek_ssl.issuer.title": { "type": "keyword" },
"zeek_ssl.issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.ja3": { "type": "keyword" },
"zeek_ssl.ja3_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.ja3s": { "type": "keyword" },
"zeek_ssl.ja3s_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.last_alert": { "type": "keyword" },
"zeek_ssl.next_protocol": { "type": "keyword" },
"zeek_ssl.resumed": { "type": "keyword" },
"zeek_ssl.server_name": { "type": "keyword" },
"zeek_ssl.ssl_version": { "type": "keyword" },
"zeek_ssl.subject.C": { "type": "keyword" },
"zeek_ssl.subject.CN": { "type": "keyword" },
"zeek_ssl.subject.description": { "type": "keyword" },
"zeek_ssl.subject.emailAddress": { "type": "keyword" },
"zeek_ssl.subject.GN": { "type": "keyword" },
"zeek_ssl.subject.initials": { "type": "keyword" },
"zeek_ssl.subject.L": { "type": "keyword" },
"zeek_ssl.subject.O": { "type": "keyword" },
"zeek_ssl.subject.OU": { "type": "keyword" },
"zeek_ssl.subject.postalCode": { "type": "keyword" },
"zeek_ssl.subject.pseudonym": { "type": "keyword" },
"zeek_ssl.subject.serialNumber": { "type": "keyword" },
"zeek_ssl.subject.SN": { "type": "keyword" },
"zeek_ssl.subject.ST": { "type": "keyword" },
"zeek_ssl.subject.street": { "type": "keyword" },
"zeek_ssl.subject.title": { "type": "keyword" },
"zeek_ssl.subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_ssl.validation_status": { "type": "keyword" },
"zeek_syslog.facility": { "type": "keyword" },
"zeek_syslog.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_syslog.severity": { "type": "keyword" },
"zeek_tds.command": { "type": "keyword" },
"zeek_tds_rpc.parameter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_tds_rpc.parameters": { "type": "nested" },
"zeek_tds_rpc.procedure_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_tds_sql_batch.header_type": { "type": "keyword" },
"zeek_tds_sql_batch.query": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_tftp.wrq": { "type": "keyword" },
"zeek_tftp.fname": { "type": "keyword" },
"zeek_tftp.mode": { "type": "keyword" },
"zeek_tftp.uid_data": { "type": "keyword" },
"zeek_tftp.size": { "type": "integer" },
"zeek_tftp.block_sent": { "type": "integer" },
"zeek_tftp.block_acked": { "type": "integer" },
"zeek_tftp.error_code": { "type": "integer" },
"zeek_tftp.error_msg": { "type": "keyword" },
"zeek_tunnel.action": { "type": "keyword" },
"zeek_tunnel.tunnel_type": { "type": "keyword" },
"zeek_weird.addl": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek_weird.name": { "type": "keyword" },
"zeek_weird.notice": { "type": "keyword" },
"zeek_weird.peer": { "type": "keyword" },
"zeek_wireguard.established": { "type": "keyword" },
"zeek_wireguard.initiations": { "type": "integer" },
"zeek_wireguard.responses": { "type": "integer" },
"zeek_x509.basic_constraints_ca": { "type": "keyword" },
"zeek_x509.basic_constraints_path_len": { "type": "integer" },
"zeek_x509.certificate_curve": { "type": "keyword" },
"zeek_x509.certificate_exponent": { "type": "keyword" },
"zeek_x509.certificate_issuer.C": { "type": "keyword" },
"zeek_x509.certificate_issuer.CN": { "type": "keyword" },
"zeek_x509.certificate_issuer.DC": { "type": "keyword" },
"zeek_x509.certificate_issuer.emailAddress": { "type": "keyword" },
"zeek_x509.certificate_issuer.GN": { "type": "keyword" },
"zeek_x509.certificate_issuer.initials": { "type": "keyword" },
"zeek_x509.certificate_issuer.L": { "type": "keyword" },
"zeek_x509.certificate_issuer.O": { "type": "keyword" },
"zeek_x509.certificate_issuer.OU": { "type": "keyword" },
"zeek_x509.certificate_issuer.pseudonym": { "type": "keyword" },
"zeek_x509.certificate_issuer.serialNumber": { "type": "keyword" },
"zeek_x509.certificate_issuer.SN": { "type": "keyword" },
"zeek_x509.certificate_issuer.ST": { "type": "keyword" },
"zeek_x509.certificate_issuer.title": { "type": "keyword" },
"zeek_x509.certificate_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_x509.certificate_key_alg": { "type": "keyword" },
"zeek_x509.certificate_key_length": { "type": "integer" },
"zeek_x509.certificate_key_type": { "type": "keyword" },
"zeek_x509.certificate_not_valid_after": { "type": "date" },
"zeek_x509.certificate_not_valid_before": { "type": "date" },
"zeek_x509.certificate_serial": { "type": "keyword" },
"zeek_x509.certificate_sig_alg": { "type": "keyword" },
"zeek_x509.certificate_subject.C": { "type": "keyword" },
"zeek_x509.certificate_subject.CN": { "type": "keyword" },
"zeek_x509.certificate_subject.DC": { "type": "keyword" },
"zeek_x509.certificate_subject.description": { "type": "keyword" },
"zeek_x509.certificate_subject.emailAddress": { "type": "keyword" },
"zeek_x509.certificate_subject.GN": { "type": "keyword" },
"zeek_x509.certificate_subject.initials": { "type": "keyword" },
"zeek_x509.certificate_subject.L": { "type": "keyword" },
"zeek_x509.certificate_subject.O": { "type": "keyword" },
"zeek_x509.certificate_subject.OU": { "type": "keyword" },
"zeek_x509.certificate_subject.postalCode": { "type": "keyword" },
"zeek_x509.certificate_subject.pseudonym": { "type": "keyword" },
"zeek_x509.certificate_subject.serialNumber": { "type": "keyword" },
"zeek_x509.certificate_subject.SN": { "type": "keyword" },
"zeek_x509.certificate_subject.ST": { "type": "keyword" },
"zeek_x509.certificate_subject.street": { "type": "keyword" },
"zeek_x509.certificate_subject.title": { "type": "keyword" },
"zeek_x509.certificate_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek_x509.certificate_version": { "type": "integer" },
"zeek_x509.san_dns": { "type": "keyword" },
"zeek_x509.san_email": { "type": "keyword" },
"zeek_x509.san_ip": { "type": "ip" },
"zeek_x509.san_uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink