title: ArcSight Corelight Zeek and Corelight Opensource Zeek Configuration order: 20 backends: - arcsight - arcsight-esm logsources: zeek: product: zeek conditions: deviceVendor: Bro zeek-category-accounting: category: accounting rewrite: product: zeek service: syslog zeek-category-firewall: category: firewall rewrite: product: zeek service: conn zeek-category-dns: category: dns rewrite: product: zeek service: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-category-webserver: category: webserver rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: deviceEventCategory: conn zeek-conn_long: product: zeek service: conn_long conditions: deviceEventCategory: conn_long zeek-dce_rpc: product: zeek service: dce_rpc conditions: deviceEventCategory: dce_rpc zeek-dns: product: zeek service: dns conditions: deviceEventCategory: dns zeek-dnp3: product: zeek service: dnp3 conditions: deviceEventCategory: dnp3 zeek-dpd: product: zeek service: dpd conditions: deviceEventCategory: dpd zeek-files: product: zeek service: files conditions: deviceEventCategory: files zeek-ftp: product: zeek service: ftp conditions: deviceEventCategory: ftp zeek-gquic: product: zeek service: gquic conditions: deviceEventCategory: gquic zeek-http: product: zeek service: http conditions: deviceEventCategory: http zeek-http2: product: zeek service: http2 conditions: deviceEventCategory: http2 zeek-intel: product: zeek service: intel conditions: deviceEventCategory: intel zeek-irc: product: zeek service: irc conditions: deviceEventCategory: irc zeek-kerberos: product: zeek service: kerberos conditions: deviceEventCategory: kerberos zeek-known_certs: product: zeek service: known_certs conditions: deviceEventCategory: known_certs zeek-known_hosts: product: zeek service: known_hosts conditions: deviceEventCategory: known_hosts zeek-known_modbus: product: zeek service: known_modbus conditions: deviceEventCategory: known_modbus zeek-known_services: product: zeek service: known_services conditions: deviceEventCategory: known_services zeek-modbus: product: zeek service: modbus conditions: deviceEventCategory: modbus zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: deviceEventCategory: modbus_register_change zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: deviceEventCategory: mqtt_connect zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: deviceEventCategory: mqtt_publish zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: deviceEventCategory: mqtt_subscribe zeek-mysql: product: zeek service: mysql conditions: deviceEventCategory: mysql zeek-notice: product: zeek service: notice conditions: deviceEventCategory: notice zeek-ntlm: product: zeek service: ntlm conditions: deviceEventCategory: ntlm zeek-ntp: product: zeek service: ntp conditions: deviceEventCategory: ntp zeek-ocsp: product: zeek service: ntp conditions: deviceEventCategory: ocsp zeek-pe: product: zeek service: pe conditions: deviceEventCategory: pe zeek-pop3: product: zeek service: pop3 conditions: deviceEventCategory: pop3 zeek-radius: product: zeek service: radius conditions: deviceEventCategory: radius zeek-rdp: product: zeek service: rdp conditions: deviceEventCategory: rdp zeek-rfb: product: zeek service: rfb conditions: deviceEventCategory: rfb zeek-sip: product: zeek service: sip conditions: deviceEventCategory: sip zeek-smb_files: product: zeek service: smb_files conditions: deviceEventCategory: smb_files zeek-smb_mapping: product: zeek service: smb_mapping conditions: deviceEventCategory: smb_mapping zeek-smtp: product: zeek service: smtp conditions: deviceEventCategory: smtp zeek-smtp_links: product: zeek service: smtp_links conditions: deviceEventCategory: smtp_links zeek-snmp: product: zeek service: snmp conditions: deviceEventCategory: snmp zeek-socks: product: zeek service: socks conditions: deviceEventCategory: socks zeek-software: product: zeek service: software conditions: deviceEventCategory: software zeek-ssh: product: zeek service: ssh conditions: deviceEventCategory: ssh zeek-ssl: product: zeek service: ssl conditions: deviceEventCategory: tls zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that product: zeek service: tls conditions: deviceEventCategory: tls zeek-syslog: product: zeek service: syslog conditions: deviceEventCategory: syslog zeek-tunnel: product: zeek service: tunnel conditions: deviceEventCategory: tunnel zeek-traceroute: product: zeek service: traceroute conditions: deviceEventCategory: traceroute zeek-weird: product: zeek service: weird conditions: deviceEventCategory: weird zeek-x509: product: zeek service: x509 conditions: deviceEventCategory: x509 zeek-ip_search: product: zeek service: network conditions: deviceEventCategory: - conn - conn_long - dce_rpc - dhcp - dnp3 - dns - ftp - gquic - http - irc - kerberos - modbus - mqtt_connect - mqtt_publish - mqtt_subscribe - mysql - ntlm - ntp - radius - rfb - sip - smb_files - smb_mapping - smtp - smtp_links - snmp - socks - ssh - tls #SSL - tunnel - weird fieldmappings: cs-uri-extension: fileType cs-uri-path: filePath s-dns: - destinationDnsDomain - destinationHost # All Logs Applied Mapping & Taxonomy dst: destinationAddress dst_ip: destinationAddress dst_port: destinationPort host: requestHost #inner_vlan: mac: sourceMacAddress mime_type: fileType network_application: applicationProtocol #network_community_id: network_protocol: transportProtocol password: message port_num: sourcePort proto: transportProtocol #result: #rtt: server_name: destinationHostName src: sourceAddress src_ip: sourceAddress src_port: sourcePort #success: uri: - requestUrl - requestUrlQuery user: sourceUserName username: sourceUserName user_agent: - deviceCustomString5 - requestClientApplication #vlan: # DNS matching Taxonomy & DNS Category answer: message #question_length: record_type: deviceCustomString1 #parent_domain: # HTTP matching Taxonomy & Web/Proxy Category cs-bytes: bytesOut cs-cookie: message r-dns: - destinationDnsDomain - destinationHost sc-bytes: bytesIn sc-status: message c-uri: - requestUrl - requestUrlQuery c-uri-extension: fileType c-uri-query: - requestUrl - requestUrlQuery c-uri-stem: - requestUrl - requestUrlQuery c-useragent: - deviceCustomString5 - requestClientApplication cs-host: - destinationDnsDomain - destinationHost cs-method: requestMethod cs-referrer: - deviceCustomString4 - requestContext cs-version: message # All log UIDs #cert_chain_fuids: #client_cert_chain_fuids: #client_cert_fuid: #conn_uids: #fid: #fuid: #fuids: #id: #orig_fuids: #parent_fuid: #related_fuids: #resp_fuids: #server_cert_fuid: #tunnel_parents: #uid: #uids: #uuid: # Overlapping fields/mappings (aka: shared fields) action: - 'deviceAction' #service=smb_files: #service=mqtt: #service=tunnel: addl: - 'message' #service=dns: #service=weird: analyzer: - 'applicationProtocol' - 'name' #service=dpd: #service=files: arg: - 'message' #auth: #service=rfb: #RFB does not exist in newer logs, so skipping to cover dns.auth cipher: - 'deviceCustomString4' - 'message' #service=kerberos: #service=ssl: client: - 'deviceCustomString5' #service=kerberos: #service=ssh: command: - 'message' #service=pop3: #service=ftp: #service=irc: date: #service=sip: #service=smtp: duration: - 'deviceCustomString4' #service=conn: #service=files: #service=snmp: from: - 'message' #service=kerberos: #service=smtp: #is_orig: #service=file: #service=pop3: #local_orig: #service=conn #service=files method: - 'requestMethod' #service=http: #service=sip: msg: - 'message' #service=notice: #service=pop3: name: - 'name' #service=smb_files: #service=software: #service=weird: path: - 'filePath' #service=smb_files: #service=smb_mapping: #service=smtp: reply_msg: - 'message' #service=ftp: #service=radius: reply_to: - 'message' #service=sip: #service=smtp: response_body_len: - 'bytesOut' #service=http: #service=sip: request_body_len: - 'bytesIn' #service=http: #service=sip: service: - 'applicationProtocol' #service=kerberos: #service=smb_mapping: status: - 'message' #service=pop3: #service=mqtt: #service=socks: status_msg: - 'message' subject: - 'message' #service=known_certs: #service=sip: #service=smtp: #service=ssl: trans_depth: - 'deviceCustomNumber1' #service=http: #service=sip: #service=smtp: version: - 'message' - 'deviceCustomString2' #service=gquic: #service=ntp: #service=socks: #service=snmp: #service=ssh: #service=tls: # Conn and Conn Long #cache_add_rx_ev: #cache_add_rx_mpg: #cache_add_rx_new: #cache_add_tx_ev: #cache_add_tx_mpg: #cache_del_mpg: #cache_entries: conn_state: deviceSeverity #corelight_shunted: #duration: deviceCustomString4 #history: #id.orig_h.name_src: #id.orig_h.names_vals: #id.resp_h.name_src: #id.resp_h.name_vals: #local_orig: #local_resp: missed_bytes: deviceCustomNumber1 orig_bytes: bytesOut #orig_cc: orig_ip_bytes: deviceCustomNumber2 orig_l2_addr: sourceMacAddress #orig_pkts: resp_bytes: bytesIn #resp_cc: resp_ip_bytes: deviceCustomNumber3 resp_l2_addr: destinationMacAddress #resp_pkts: # DCE-RPC Specific endpoint: message named_pipe: message operation: message #rtt: # DHCP domain: message host_name: message lease_time: deviceCustomString4 agent_remote_id: message assigned_addr: message circuit_id: message client_message: message client_software: message client_fqdn: message #mac:sourceMacAddress msg_orig: message msg_types: message requested_addr: message server_addr: message server_message: message server_software: message subscriber_id: message # DNS AA: message #addl: message auth: message answers: message TTLs: message RA: message RD: message rejected: eventOutcome TC: message Z: message qclass: message qclass_name: deviceCustomString4 qtype: deviceEventClassId qtype_name: - deviceCustomString1 - name query: destinationDnsDomain rcode_name: message rcode: message rtt: message trans_id: deviceCustomNumber1 # DNP3 fc_reply: message fc_request: message iin: message # DPD #analyzer: failure_reason: message packet_segment: message # Files rx_hosts: destinationHostName tx_hosts: sourceHostName #analyzer: #depth: #duration: #extracted: #extracted_cutoff: #extracted_size: #entropy: md5: fileHash sha1: fileHash sha256: fileHash #is_orig: #local_orig: #missing_bytes: filename: fileName overflow_bytes: bytesOut #seen_bytes: source: filePath total_bytes: bytesIn #timedout: # GQUIC/QUIC cyu: message cyutags: message #server_name: message tag_count: message #user_agent: deviceCustomString5 #version: # FTP #arg: message #command: message cwd: message data_channel.orig_h: message data_channel.passive: eventOutcome data_channel.resp_h: message data_channel.resp_p: deviceCustomNumber1 passive: message file_size: fileSize #mime_type: fileType #password: message reply_code: deviceEventClassId #reply_msg: message #user: sourceUserName # HTTP client_header_names: message cookie_vars: message flash_version: message info_code: message info_msg: message omniture: message orig_filenames: fileName orig_mime_types: fileType origin: message #password: message post_body: message proxied: message referrer: - deviceCustomString4 - requestContext resp_filenames: fileName resp_mime_types: fileType server_header_names: message status_code: deviceSeverity #status_msg: message #trans_depth: uri_vars: message #user_agent: deviceCustomString5 #username: sourceUserName # Intel file_mime_type: message file_desc: message #host: matched: message indicator: message indicator_type: message node: message where: message sources: message # IRC dcc_file_name: fileName dcc_file_size: fileSize dcc_mime_type: fileType #command: nick: message #user: value: message # Kerberos auth_ticket: message #cipher: message #client: message client_cert_subject: message error_code: message error_msg: message #from: message forwardable: message new_ticket: message renewable: message request_type: message server_cert_subject: message #service: applicationProtocol #success: till: message # Known_Certs #host: sourceAddress issuer_subject: deviceCustomString3 #port_num: sourcePort serial: deviceCustomString4 #subject: message # Known_Modbus #host: device_type: message # Known_Services port_proto: transport #port_num: sourcePort # Modbus All delta: message new_val: message old_val: message register: message # Modbus func: message exception: message track_address: message # ModBus_Register_Change #delta: message #new_val: message #old_val: message #register: message # MQTT_Connect , MQTT_Publish, MQTT_Subscribe ack: message #action: message client_id: message connect_status: message from_client: message granted_qos_level: message payload: message payload_len: message proto_name: message proto_version: message qos: message qos_levels: message retain: message #status: message topic: message topics: message will_payload: message will_topic: message # MYSQL #arg: message cmd: message response: message rows: message #success: # Notice actions: deviceEventClassId #dropped: #dst: destinationAddress email_body_sections: message email_delay_tokens: message identifier: message #msg: n: message note: message p: destinationPort peer_descr: deviceCustomString5 peer_name: deviceCustomString4 #proto: transport #src: sourceAddress sub: message subpress_for: deviceCustomFloatingPoint1 # NTLM domainname: message hostname: message #username: sourceUserName server_nb_computer_name: message server_tree_name: message #success: server_dns_computer_name: message # NTP mode: message num_exts: message org_time: message poll: message precision: message rec_time: message ref_id: message ref_time: message root_delay: message root_disp: message stratum: message #version: xmt_time: message # OCSP certStatus: message hashAlgorithm: message issuerKeyHash: message issuerNameHash: message nextUpdate: message revokereason: message revoketime: message serialNumber: message thisUpdate: message # PE compile_ts: message has_cert_table: message has_debug_data: message has_import_table: message has_export_table: message is_64bit: message is_exe: message machine: message os: message section_names: message subsystem: message uses_aslr: message uses_code_integrity: message uses_dep: message uses_seh: message # POP3 #arg: message #command: message current_request: message current_response: message data: message failed_commands: message has_client_activity: message #is_orig: message #msg: message #password: pending: message #status: message successful_commands: message #username: sourceUserName # Radius connect_info: message framed_addr: message #mac:sourceMacAddress #reply_msg: message #result: ttl: message tunnel_client: message #username: sourceUserName # RDP cert_count: message cert_permanent: message cert_type: message client_build: message client_dig_product_id: message client_name: message cookie: message desktop_height: message desktop_width: message encryption_level: message encryption_method: message keyboard_layout: message requested_color_depth: message #result: security_protocol: message ssl: message # RFB #auth: authentication_method: message client_major_version: message client_minor_version: message desktop_name: message height: message server_major_version: message server_minor_version: message share_flag: message width: message # SIP call_id: message content_type: message #date: message #method: requestMethod #reply_to: message #request_body_len: message request_from: message request_path: message request_to: message #response_body_len: message response_from: message response_path: message response_to: message seq: message #status_code: #status_msg: message #subject: message #trans_depth: deviceCustomNumber1 #uri: warning: message #user_agent: deviceCustomString5 # SMB_Files #action: #name: fileName #path: filePath prev_name: message size: fileSize times_accessed: message times_changed: message times_created: message times_modified: message # SMB_Mapping native_file_system: message #path: filePath share_type: message #service: # SMTP cc: message #date: message first_received: message #from: helo: message in_reply_to: message is_webmail: message last_reply: message mailfrom: sourceUserName #msg_id: message #path: message rcptto: message #reply_to: message second_received: message #subject: message tls: message to: message #trans_depth: deviceCustomNumber1 x_originating_ip: message #user_agent: deviceCustomString5 # SMTP_Links #host: #uri: # SNMP #duration: community: message display_string: message get_bulk_requests: message get_requests: message set_requests: message up_since: message #version: # Socks #password: message bound_host: message bound_name: message bound_p: message request_host: message request_name: message request_p: message #status: message #version: message # Software #host: host_p: sourcePort version.major: deviceCustomString3 version.minor: deviceCustomString4 version.minor2: message version.minor3: message #name: unparsed_version: message software_type: deviceEventClassId #url: # SSH #auth_attempts: auth_success: name cipher_alg: message #client: deviceCustomString5 compression_alg: cshka: message direction: deviceDirection hassh: message hasshAlgorithms: message hasshServer: message hasshServerAlgorithms: message hasshVersion: message host_key: message host_key_alg: message kex_alg: message mac_alg: message server: deviceCustomString4 #version: # SSL / TLS #cipher: deviceCustomString4 client_issuer: deviceCustomString1 client_subject: sourceUserName curve: message established: eventOutcome issuer: deviceCustomString1 ja3: message ja3s: message last_alert: message next_protocol: message notary: message ocsp_status: message orig_certificate_sha1: message resp_certificate_sha1: message resumed: message #server_name: destinationHostName #subject: message valid_ct_logs: message valid_ct_operators: message valid_ct_operators_list: message validation_status: message #version: deviceCustomString2 version_num: message # Syslog facility: message severity: message message: message # Traceroute #proto: transport #dst: destinationAddress #src: sourceAddress # Tunnel #action: deviceAction tunnel_type: name # Weird #addl: message #name: name notice: message peer: deviceCustomString4 # X509 basic_constraints.ca: message basic_constraints.path_len: message certificate.cn: message certificate.curve: message certificate.exponent: message certificate.issuer: deviceCustomString3 certificate.key_alg: message certificate.key_length: message certificate.key_type: message certificate.not_valid_after: deviceCustomDate2 certificate.not_valid_before: deviceCustomDate1 certificate.serial: message certificate.sig_alg: message certificate.subject: message certificate.version: message logcert: message san.dns: message - destinationDnsDomain - destinationHost san.email: - message - sourceUserName san.ip: - message - sourceAddress san.uri: - requestUrl - requestUrlQuery # Few other variations of names from zeek source itself id_orig_h: sourceAddress id_orig_p: sourcePort id_resp_h: destinationAddress id_resp_p: destinationPort # Temporary one off rule name fields cs-uri: requestUrl destination.domain: destination.ip: destinationAddress destination.port: destinationPort http.response.status_code: deviceSeverity #http.request.body.content source.domain: #sourceAddress: #TONOTE: is arcsight source.port: sourcePort agent.version: deviceCustomString2 c-ip: sourceAddress clientip: sourceAddress clientIP: sourceAddress dest_domain: - url.domain dest_ip: destinationAddress dest_port: destinationPort #TODO:WhatShouldThisBe?==dest: #TODO:WhatShouldThisBe?==destination: #TODO:WhatShouldThisBe?==Destination: destination.hostname: destinationHostName #DestinationAddress: #TONOTE: is arcsight #DestinationHostname: #TONOTE: is arcsight DestinationIp: destinationAddress DestinationIP: destinationAddress DestinationPort: destinationPort dst-ip: destinationAddress dstip: destinationAddress dstport: destinationPort Host: requestHost #host: HostVersion: deviceCustomString2 http_host: destinationHostName http_uri: requestUrl http_url: requestUrl http_user_agent: - deviceCustomString5 - requestClientApplication http.request.url-query-params: - requestUrl - requestUrlQuery HttpMethod: requestMethod in_url: requestUrl #parent_domain: # - url.registered_domain # - destination.registered_domain post_url_parameter: requestUrl Request Url: requestUrl request_url: requestUrl request_URL: requestUrl RequestUrl: requestUrl #response: http.response.status_code resource.url: requestUrl resource.URL: requestUrl sc_status: deviceSeverity sender_domain: message service.response_code: deviceSeverity SourceAddr: sourceAddress SourceAddress: sourceAddress SourceIP: sourceAddress SourceIp: sourceAddress SourceNetworkAddress: - source.address - sourceAddress SourcePort: sourcePort srcip: sourceAddress Status: deviceSeverity #status: deviceSeverity url: requestUrl URL: requestUrl url_query: - requestUrl - requestUrlQuery url.query: - requestUrl - requestUrlQuery uri_path: requestUrl #user_agent: user_agent.original user_agent.name: - deviceCustomString5 - requestClientApplication user-agent: - deviceCustomString5 - requestClientApplication User-Agent: - deviceCustomString5 - requestClientApplication useragent: - deviceCustomString5 - requestClientApplication UserAgent: - deviceCustomString5 - requestClientApplication User Agent: - deviceCustomString5 - requestClientApplication web_dest: destinationHostName web.dest: destinationHostName Web.dest: destinationHostName web.host: destinationHostName Web.host: destinationHostName web_method: requestMethod Web_method: requestMethod web.method: requestMethod Web.method: requestMethod web_src: sourceAddress web_status: deviceSeverity Web_status: deviceSeverity web.status: deviceSeverity Web.status: deviceSeverity web_uri: requestUrl web_url: requestUrl