title: Zeek field mappings for default collection of JSON logs with no parsing/normalization done and sending into logstash-*index order: 20 backends: - es-qs - es-dsl - elasticsearch-rule - kibana - xpack-watcher - elastalert - elastalert-dsl logsources: zeek: product: zeek index: 'logstash*' zeek-category-accounting: category: accounting rewrite: product: zeek service: syslog zeek-category-firewall: category: firewall rewrite: product: zeek service: conn zeek-category-dns: category: dns rewrite: product: zeek service: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-category-webserver: category: webserver rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: '@stream': conn zeek-conn_long: product: zeek service: conn_long conditions: '@stream': conn_long zeek-dce_rpc: product: zeek service: dce_rpc conditions: '@stream': dce_rpc zeek-dns: product: zeek service: dns conditions: '@stream': dns zeek-dnp3: product: zeek service: dnp3 conditions: '@stream': dnp3 zeek-dpd: product: zeek service: dpd conditions: '@stream': dpd zeek-files: product: zeek service: files conditions: '@stream': files zeek-ftp: product: zeek service: ftp conditions: '@stream': ftp zeek-gquic: product: zeek service: gquic conditions: '@stream': gquic zeek-http: product: zeek service: http conditions: '@stream': http zeek-http2: product: zeek service: http2 conditions: '@stream': http2 zeek-intel: product: zeek service: intel conditions: '@stream': intel zeek-irc: product: zeek service: irc conditions: '@stream': irc zeek-kerberos: product: zeek service: kerberos conditions: '@stream': kerberos zeek-known_certs: product: zeek service: known_certs conditions: '@stream': known_certs zeek-known_hosts: product: zeek service: known_hosts conditions: '@stream': known_hosts zeek-known_modbus: product: zeek service: known_modbus conditions: '@stream': known_modbus zeek-known_services: product: zeek service: known_services conditions: '@stream': known_services zeek-modbus: product: zeek service: modbus conditions: '@stream': modbus zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: '@stream': modbus_register_change zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: '@stream': mqtt_connect zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: '@stream': mqtt_publish zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: '@stream': mqtt_subscribe zeek-mysql: product: zeek service: mysql conditions: '@stream': mysql zeek-notice: product: zeek service: notice conditions: '@stream': notice zeek-ntlm: product: zeek service: ntlm conditions: '@stream': ntlm zeek-ntp: product: zeek service: ntp conditions: '@stream': ntp zeek-ocsp: product: zeek service: ntp conditions: '@stream': ocsp zeek-pe: product: zeek service: pe conditions: '@stream': pe zeek-pop3: product: zeek service: pop3 conditions: '@stream': pop3 zeek-radius: product: zeek service: radius conditions: '@stream': radius zeek-rdp: product: zeek service: rdp conditions: '@stream': rdp zeek-rfb: product: zeek service: rfb conditions: '@stream': rfb zeek-sip: product: zeek service: sip conditions: '@stream': sip zeek-smb_files: product: zeek service: smb_files conditions: '@stream': smb_files zeek-smb_mapping: product: zeek service: smb_mapping conditions: '@stream': smb_mapping zeek-smtp: product: zeek service: smtp conditions: '@stream': smtp zeek-smtp_links: product: zeek service: smtp_links conditions: '@stream': smtp_links zeek-snmp: product: zeek service: snmp conditions: '@stream': snmp zeek-socks: product: zeek service: socks conditions: '@stream': socks zeek-software: product: zeek service: software conditions: '@stream': software zeek-ssh: product: zeek service: ssh conditions: '@stream': ssh zeek-ssl: product: zeek service: ssl conditions: '@stream': ssl zeek-tls: # In case people call it TLS even though orig log is called ssl product: zeek service: tls conditions: '@stream': ssl zeek-syslog: product: zeek service: syslog conditions: '@stream': syslog zeek-tunnel: product: zeek service: tunnel conditions: '@stream': tunnel zeek-traceroute: product: zeek service: traceroute conditions: '@stream': traceroute zeek-weird: product: zeek service: weird conditions: '@stream': weird zeek-x509: product: zeek service: x509 conditions: '@stream': x509 zeek-ip_search: product: zeek service: network conditions: '@stream': - conn - conn_long - dce_rpc - dhcp - dnp3 - dns - ftp - gquic - http - irc - kerberos - modbus - mqtt_connect - mqtt_publish - mqtt_subscribe - mysql - ntlm - ntp - radius - rfb - sip - smb_files - smb_mapping - smtp - smtp_links - snmp - socks - ssh - tls #SSL - tunnel - weird defaultindex: 'logstash-*' fieldmappings: # All Logs Applied Mapping & Taxonomy dst_ip: id.resp_h dst_port: id.resp_p network_protocol: proto src_ip: id.orig_h src_port: id.orig_p # DNS matching Taxonomy & DNS Category answer: answers #question_length: # Does not exist in open source version record_type: qtype_name #parent_domain: # Does not exist in open source version # HTTP matching Taxonomy & Web/Proxy Category cs-bytes: request_body_len cs-cookie: cookie r-dns: host sc-bytes: response_body_len sc-status: status_code c-uri: uri c-uri-extension: uri c-uri-query: uri c-uri-stem: uri c-useragent: user_agent cs-host: host cs-method: method cs-referrer: referrer cs-version: version # Few other variations of names from zeek source itself id_orig_h: id.orig_h id_orig_p: id.orig_p id_resp_h: id.resp_h id_resp_p: id.resp_p # Temporary one off rule name fields agent.version: version c-cookie: cookie c-ip: id.orig_h cs-uri: uri clientip: id.orig_h clientIP: id.orig_h dest_domain: - query - host - server_name dest_ip: id.resp_h dest_port: id.resp_p #TODO:WhatShouldThisBe?==dest: #TODO:WhatShouldThisBe?==destination: #TODO:WhatShouldThisBe?==Destination: destination.hostname: - query - host - server_name DestinationAddress: id.resp_h DestinationHostname: - host - query - server_name DestinationIp: id.resp_h DestinationIP: id.resp_h DestinationPort: id.resp_p dst-ip: id.resp_h dstip: id.resp_h dstport: id.resp_p Host: - host - query - server_name HostVersion: http.version http_host: - host - query - server_name http_uri: uri http_url: uri http_user_agent: user_agent http.request.url-query-params: uri HttpMethod: method in_url: uri # parent_domain: # Not in open source zeek post_url_parameter: uri Request Url: uri request_url: uri request_URL: uri RequestUrl: uri #response: status_code resource.url: uri resource.URL: uri sc_status: status_code sender_domain: - query - server_name service.response_code: status_code source: id.orig_h SourceAddr: id.orig_h SourceAddress: id.orig_h SourceIP: id.orig_h SourceIp: id.orig_h SourceNetworkAddress: id.orig_h SourcePort: id.orig_p srcip: id.orig_h Status: status_code status: status_code url: uri URL: uri url_query: uri url.query: uri uri_path: uri user_agent: user_agent user_agent.name: user_agent user-agent: user_agent User-Agent: user_agent useragent: user_agent UserAgent: user_agent User Agent: user_agent web_dest: - host - query - server_name web.dest: - host - query - server_name Web.dest: - host - query - server_name web.host: - host - query - server_name Web.host: - host - query - server_name web_method: method Web_method: method web.method: method Web.method: method web_src: id.orig_h web_status: status_code Web_status: status_code web.status: status_code Web.status: status_code web_uri: uri web_url: uri # Most are in ECS, but for things not using Elastic - these need renamed destination.ip: id.resp_h destination.port: id.resp_p http.request.body.content: post_body #source.domain: source.ip: id.orig_h source.port: id.orig_p