title: Splunk Zeek sourcetype mappings
order: 20
backends:
  - splunk
  - splunkxml
  - corelight_splunk
logsources:
  zeek-category-accounting:
    category: accounting
    rewrite:
      product: zeek
      service: syslog
  zeek-category-firewall:
    category: firewall
    rewrite:
      product: zeek
      service: conn
  zeek-category-dns:
    category: dns
    rewrite:
      product: zeek
      service: dns
  zeek-category-proxy:
    category: proxy
    rewrite:
      product: zeek
      service: http
  zeek-category-webserver:
    category: webserver
    rewrite:
      product: zeek
      service: http
  zeek-conn:
    product: zeek
    service: conn
    rewrite:
      product: zeek
      service: conn
  zeek-conn_long:
    product: zeek
    service: conn_long
    conditions:
      sourcetype: 'bro:conn_long:json'
  zeek-dce_rpc:
    product: zeek
    service: dce_rpc
    conditions:
      sourcetype: 'bro:dce_rpc:json'
  zeek-dns:
    product: zeek
    service: dns
    conditions:
      sourcetype: 'bro:dns:json'
  zeek-dnp3:
    product: zeek
    service: dnp3
    conditions:
      sourcetype: 'bro:dnp3:json'
  zeek-dpd:
    product: zeek
    service: dpd
    conditions:
      sourcetype: 'bro:dpd:json'
  zeek-files:
    product: zeek
    service: files
    conditions:
      sourcetype: 'bro:files:json'
  zeek-ftp:
    product: zeek
    service: ftp
    conditions:
      sourcetype: 'bro:ftp:json'
  zeek-gquic:
    product: zeek
    service: gquic
    conditions:
      sourcetype: 'bro:gquic:json'
  zeek-http:
    product: zeek
    service: http
    conditions:
      sourcetype: 'bro:http:json'
  zeek-http2:
    product: zeek
    service: http2
    conditions:
      sourcetype: 'bro:http2:json'
  zeek-intel:
    product: zeek
    service: intel
    conditions:
      sourcetype: 'bro:intel:json'
  zeek-irc:
    product: zeek
    service: irc
    conditions:
      sourcetype: 'bro:irc:json'
  zeek-kerberos:
    product: zeek
    service: kerberos
    conditions:
      sourcetype: 'bro:kerberos:json'
  zeek-known_certs:
    product: zeek
    service: known_certs
    conditions:
      sourcetype: 'bro:known_certs:json'
  zeek-known_hosts:
    product: zeek
    service: known_hosts
    conditions:
      sourcetype: 'bro:known_hosts:json'
  zeek-known_modbus:
    product: zeek
    service: known_modbus
    conditions:
      sourcetype: 'bro:known_modbus:json'
  zeek-known_services:
    product: zeek
    service: known_services
    conditions:
      sourcetype: 'bro:known_services:json'
  zeek-modbus:
    product: zeek
    service: modbus
    conditions:
      sourcetype: 'bro:modbus:json'
  zeek-modbus_register_change:
    product: zeek
    service: modbus_register_change
    conditions:
      sourcetype: 'bro:modbus_register_change:json'
  zeek-mqtt_connect:
    product: zeek
    service: mqtt_connect
    conditions:
      sourcetype: 'bro:mqtt_connect:json'
  zeek-mqtt_publish:
    product: zeek
    service: mqtt_publish
    conditions:
      sourcetype: 'bro:mqtt_publish:json'
  zeek-mqtt_subscribe:
    product: zeek
    service: mqtt_subscribe
    conditions:
      sourcetype: 'bro:mqtt_subscribe:json'
  zeek-mysql:
    product: zeek
    service: mysql
    conditions:
      sourcetype: 'bro:mysql:json'
  zeek-notice:
    product: zeek
    service: notice
    conditions:
      sourcetype: 'bro:notice:json'
  zeek-ntlm:
    product: zeek
    service: ntlm
    conditions:
      sourcetype: 'bro:ntlm:json'
  zeek-ntp:
    product: zeek
    service: ntp
    conditions:
      sourcetype: 'bro:ntp:json'
  zeek-ocsp:
    product: zeek
    service: ntp
    conditions:
      sourcetype: 'bro:ocsp:json'
  zeek-pe:
    product: zeek
    service: pe
    conditions:
      sourcetype: 'bro:pe:json'
  zeek-pop3:
    product: zeek
    service: pop3
    conditions:
      sourcetype: 'bro:pop3:json'
  zeek-radius:
    product: zeek
    service: radius
    conditions:
      sourcetype: 'bro:radius:json'
  zeek-rdp:
    product: zeek
    service: rdp
    conditions:
      sourcetype: 'bro:rdp:json'
  zeek-rfb:
    product: zeek
    service: rfb
    conditions:
      sourcetype: 'bro:rfb:json'
  zeek-sip:
    product: zeek
    service: sip
    conditions:
      sourcetype: 'bro:sip:json'
  zeek-smb_files:
    product: zeek
    service: smb_files
    conditions:
      sourcetype: 'bro:smb_files:json'
  zeek-smb_mapping:
    product: zeek
    service: smb_mapping
    conditions:
      sourcetype: 'bro:smb_mapping:json'
  zeek-smtp:
    product: zeek
    service: smtp
    conditions:
      sourcetype: 'bro:smtp:json'
  zeek-smtp_links:
    product: zeek
    service: smtp_links
    conditions:
      sourcetype: 'bro:smtp_links:json'
  zeek-snmp:
    product: zeek
    service: snmp
    conditions:
      sourcetype: 'bro:snmp:json'
  zeek-socks:
    product: zeek
    service: socks
    conditions:
      sourcetype: 'bro:socks:json'
  zeek-software:
    product: zeek
    service: software
    conditions:
      sourcetype: 'bro:software:json'
  zeek-ssh:
    product: zeek
    service: ssh
    conditions:
      sourcetype: 'bro:ssh:json'
  zeek-ssl:
    product: zeek
    service: ssl
    conditions:
      sourcetype: 'bro:ssl:json'
  zeek-tls: # In case people call it TLS even though log is called ssl
    product: zeek
    service: tls
    conditions:
      sourcetype: 'bro:ssl:json'
  zeek-syslog:
    product: zeek
    service: syslog
    conditions:
      sourcetype: 'bro:syslog:json'
  zeek-tunnel:
    product: zeek
    service: tunnel
    conditions:
      sourcetype: 'bro:tunnel:json'
  zeek-traceroute:
    product: zeek
    service: traceroute
    conditions:
      sourcetype: 'bro:traceroute:json'
  zeek-weird:
    product: zeek
    service: weird
    conditions:
      sourcetype: 'bro:weird:json'
  zeek-x509:
    product: zeek
    service: x509
    conditions:
      sourcetype: 'bro:x509:json'
  zeek-ip_search:
    product: zeek
    service: network
    conditions:
      sourcetype:
        - 'bro:conn:json'
        - 'bro:conn_long:json'
        - 'bro:dce_rpc:json'
        - 'bro:dhcp:json'
        - 'bro:dnp3:json'
        - 'bro:dns:json'
        - 'bro:ftp:json'
        - 'bro:gquic:json'
        - 'bro:http:json'
        - 'bro:irc:json'
        - 'bro:kerberos:json'
        - 'bro:modbus:json'
        - 'bro:mqtt_connect:json'
        - 'bro:mqtt_publish:json'
        - 'bro:mqtt_subscribe:json'
        - 'bro:mysql:json'
        - 'bro:ntlm:json'
        - 'bro:ntp:json'
        - 'bro:radius:json'
        - 'bro:rfb:json'
        - 'bro:sip:json'
        - 'bro:smb_files:json'
        - 'bro:smb_mapping:json'
        - 'bro:smtp:json'
        - 'bro:smtp_links:json'
        - 'bro:snmp:json'
        - 'bro:socks:json'
        - 'bro:ssh:json'
        - 'bro:ssl:json'
        - 'bro:tunnel:json'
        - 'bro:weird:json'
fieldmappings:
  # All Logs Applied Mapping & Taxonomy
  dst_ip: id.resp_h
  dst_port: id.resp_p
  network_protocol: proto
  src_ip: id.orig_h
  src_port: id.orig_p
  # DNS matching Taxonomy & DNS Category
  answer: answers
  #question_length: # Does not exist in open source version
  record_type: qtype_name
  #parent_domain: # Does not exist in open source version
  # HTTP matching Taxonomy & Web/Proxy Category
  cs-bytes: request_body_len
  cs-cookie: cookie
  r-dns: host
  sc-bytes: response_body_len
  sc-status: status_code
  c-uri: uri
  c-uri-extension: uri
  c-uri-query: uri
  c-uri-stem: uri
  c-useragent: user_agent
  cs-host: host
  cs-method: method
  cs-referrer: referrer
  cs-version: version
  # Few other variations of names from zeek source itself
  id_orig_h: id.orig_h
  id_orig_p: id.orig_p
  id_resp_h: id.resp_h
  id_resp_p: id.resp_p
  # Temporary one off rule name fields
  agent.version: version
  c-cookie: cookie
  c-ip: id.orig_h
  cs-uri: uri
  clientip: id.orig_h
  clientIP: id.orig_h
  dest_domain:
    - query
    - host
    - server_name
  dest_ip: id.resp_h
  dest_port: id.resp_p
  #TODO:WhatShouldThisBe?==dest:
  #TODO:WhatShouldThisBe?==destination:
  #TODO:WhatShouldThisBe?==Destination:
  destination.hostname:
    - query
    - host
    - server_name
  DestinationAddress: id.resp_h
  DestinationHostname:
    - host
    - query
    - server_name
  DestinationIp: id.resp_h
  DestinationIP: id.resp_h
  DestinationPort: id.resp_p
  dst-ip: id.resp_h
  dstip: id.resp_h
  dstport: id.resp_p
  Host:
    - host
    - query
    - server_name
  HostVersion: http.version
  http_host:
    - host
    - query
    - server_name
  http_uri: uri
  http_url: uri
  http_user_agent: user_agent
  http.request.url-query-params: uri
  HttpMethod: method
  in_url: uri
  # parent_domain: # Not in open source zeek
  post_url_parameter: uri
  Request Url: uri
  request_url: uri
  request_URL: uri
  RequestUrl: uri
  #response: status_code
  resource.url: uri
  resource.URL: uri
  sc_status: status_code
  sender_domain:
    - query
    - server_name
  service.response_code: status_code
  source: id.orig_h
  SourceAddr: id.orig_h
  SourceAddress: id.orig_h
  SourceIP: id.orig_h
  SourceIp: id.orig_h
  SourceNetworkAddress: id.orig_h
  SourcePort: id.orig_p
  srcip: id.orig_h
  Status: status_code
  status: status_code
  url: uri
  URL: uri
  url_query: uri
  url.query: uri
  uri_path: uri
  user_agent: user_agent
  user_agent.name: user_agent
  user-agent: user_agent
  User-Agent: user_agent
  useragent: user_agent
  UserAgent: user_agent
  User Agent: user_agent
  web_dest:
    - host
    - query
    - server_name
  web.dest:
    - host
    - query
    - server_name
  Web.dest:
    - host
    - query
    - server_name
  web.host:
    - host
    - query
    - server_name
  Web.host:
    - host
    - query
    - server_name
  web_method: method
  Web_method: method
  web.method: method
  Web.method: method
  web_src: id.orig_h
  web_status: status_code
  Web_status: status_code
  web.status: status_code
  Web.status: status_code
  web_uri: uri
  web_url: uri
  # Most are in ECS, but for things not using Elastic - these need renamed
  destination.ip: id.resp_h
  destination.port: id.resp_p
  http.request.body.content: post_body
  source.domain:
    - host
    - query
    - server_name
  source.ip: id.orig_h
  source.port: id.orig_p