title: Humio log source conditions order: 20 backends: - humio logsources: zeek: product: zeek zeek-category-accounting: category: accounting rewrite: product: zeek service: syslog zeek-category-firewall: category: firewall rewrite: product: zeek service: conn zeek-category-dns: category: dns rewrite: product: zeek service: dns zeek-category-proxy: category: proxy rewrite: product: zeek service: http zeek-category-webserver: category: webserver rewrite: product: zeek service: http zeek-conn: product: zeek service: conn conditions: '@stream': conn zeek-conn_long: product: zeek service: conn_long conditions: '@stream': conn_long zeek-dce_rpc: product: zeek service: dce_rpc conditions: '@stream': dce_rpc zeek-dns: product: zeek service: dns conditions: '@stream': dns zeek-dnp3: product: zeek service: dnp3 conditions: '@stream': dnp3 zeek-dpd: product: zeek service: dpd conditions: '@stream': dpd zeek-files: product: zeek service: files conditions: '@stream': files zeek-ftp: product: zeek service: ftp conditions: '@stream': ftp zeek-gquic: product: zeek service: gquic conditions: '@stream': gquic zeek-http: product: zeek service: http conditions: '@stream': http zeek-http2: product: zeek service: http2 conditions: '@stream': http2 zeek-intel: product: zeek service: intel conditions: '@stream': intel zeek-irc: product: zeek service: irc conditions: '@stream': irc zeek-kerberos: product: zeek service: kerberos conditions: '@stream': kerberos zeek-known_certs: product: zeek service: known_certs conditions: '@stream': known_certs zeek-known_hosts: product: zeek service: known_hosts conditions: '@stream': known_hosts zeek-known_modbus: product: zeek service: known_modbus conditions: '@stream': known_modbus zeek-known_services: product: zeek service: known_services conditions: '@stream': known_services zeek-modbus: product: zeek service: modbus conditions: '@stream': modbus zeek-modbus_register_change: product: zeek service: modbus_register_change conditions: '@stream': modbus_register_change zeek-mqtt_connect: product: zeek service: mqtt_connect conditions: '@stream': mqtt_connect zeek-mqtt_publish: product: zeek service: mqtt_publish conditions: '@stream': mqtt_publish zeek-mqtt_subscribe: product: zeek service: mqtt_subscribe conditions: '@stream': mqtt_subscribe zeek-mysql: product: zeek service: mysql conditions: '@stream': mysql zeek-notice: product: zeek service: notice conditions: '@stream': notice zeek-ntlm: product: zeek service: ntlm conditions: '@stream': ntlm zeek-ntp: product: zeek service: ntp conditions: '@stream': ntp zeek-ocsp: product: zeek service: ntp conditions: '@stream': ocsp zeek-pe: product: zeek service: pe conditions: '@stream': pe zeek-pop3: product: zeek service: pop3 conditions: '@stream': pop3 zeek-radius: product: zeek service: radius conditions: '@stream': radius zeek-rdp: product: zeek service: rdp conditions: '@stream': rdp zeek-rfb: product: zeek service: rfb conditions: '@stream': rfb zeek-sip: product: zeek service: sip conditions: '@stream': sip zeek-smb_files: product: zeek service: smb_files conditions: '@stream': smb_files zeek-smb_mapping: product: zeek service: smb_mapping conditions: '@stream': smb_mapping zeek-smtp: product: zeek service: smtp conditions: '@stream': smtp zeek-smtp_links: product: zeek service: smtp_links conditions: '@stream': smtp_links zeek-snmp: product: zeek service: snmp conditions: '@stream': snmp zeek-socks: product: zeek service: socks conditions: '@stream': socks zeek-software: product: zeek service: software conditions: '@stream': software zeek-ssh: product: zeek service: ssh conditions: '@stream': ssh zeek-ssl: product: zeek service: ssl conditions: '@stream': ssl zeek-tls: # In case people call it TLS even though orig log is called ssl product: zeek service: tls conditions: '@stream': ssl zeek-syslog: product: zeek service: syslog conditions: '@stream': syslog zeek-tunnel: product: zeek service: tunnel conditions: '@stream': tunnel zeek-traceroute: product: zeek service: traceroute conditions: '@stream': traceroute zeek-weird: product: zeek service: weird conditions: '@stream': weird zeek-x509: product: zeek service: x509 conditions: '@stream': x509 zeek-ip_search: product: zeek service: network conditions: '@stream': - conn - conn_long - dce_rpc - dhcp - dnp3 - dns - ftp - gquic - http - irc - kerberos - modbus - mqtt_connect - mqtt_publish - mqtt_subscribe - mysql - ntlm - ntp - radius - rfb - sip - smb_files - smb_mapping - smtp - smtp_links - snmp - socks - ssh - tls #SSL - tunnel - weird fieldmappings: # Deep mappings Taxonomy for overall/general fields dst_ip: product=windows: winlog.event_data.DestinationIp product=zeek: id.resp_h src_ip: product=windows: winlog.event_data.SourceIp product=zeek: id.orig_h dst_port: product=windows: winlog.event_data.DestinationPort product=zeek: id.resp_p src_port: product=windows: winlog.event_data.SourcePort product=zeek: id.orig_p network_protocol: product=zeek: proto # Deep mappings Taxonomy for DNS Category and DNS service answer: product=zeek: answers #question_length: # product=zeek: # Does not exist in open source version record_type: product=zeek: qtype_name #parent_domain: #product=zeek: # Does not exist in open source version # Deep mappings Taxonomy for HTTP, Webserver category, and Proxy category cs-bytes: product=zeek: request_body_len cs-cookie: product=zeek: cookie r-dns: product=zeek: host sc-bytes: product=zeek: response_body_len sc-status: product=zeek: status_code c-uri: product=zeek: uri c-uri-extension: product=zeek: uri c-uri-query: product=zeek: uri c-uri-stem: product=zeek: uri c-useragent: product=zeek: user_agent cs-host: product=zeek: host cs-method: product=zeek: method cs-referer: product=zeek: referrer cs-version: product=zeek: version # Windows / WEF / Winlogbeat EventID: winlog.event_id Event_ID: winlog.event_id eventId: winlog.event_id event_id: winlog.event_id event-id: winlog.event_id eventid: winlog.event_id AccessMask: winlog.event_data.AccessMask AccountName: winlog.event_data.AccountName AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName AuditPolicyChanges: winlog.event_data.AuditPolicyChanges AuthenticationPackageName: winlog.event_data.AuthenticationPackageName CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace Channel: winlog.channel CommandLine: winlog.event_data.CommandLine ComputerName: winlog.ComputerName CurrentDirectory: winlog.event_data.CurrentDirectory Description: winlog.event_data.Description DestinationHostname: winlog.event_data.DestinationHostname DestinationIp: winlog.event_data.DestinationIp DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 DestinationPort: winlog.event_data.DestinationPort Details: winlog.event_data.Details EngineVersion: winlog.event_data.EngineVersion EventType: winlog.event_data.EventType FailureCode: winlog.event_data.FailureCode FileName: winlog.event_data.FileName GrantedAccess: winlog.event_data.GrantedAccess GroupName: winlog.event_data.GroupName GroupSid: winlog.event_data.GroupSid Hashes: winlog.event_data.Hashes HiveName: winlog.event_data.HiveName HostVersion: winlog.event_data.HostVersion Image: winlog.event_data.Image ImageLoaded: winlog.event_data.ImageLoaded ImagePath: winlog.event_data.ImagePath Imphash: winlog.event_data.Imphash IpAddress: winlog.event_data.IpAddress KeyLength: winlog.event_data.KeyLength LogonProcessName: winlog.event_data.LogonProcessName LogonType: winlog.event_data.LogonType NewProcessName: winlog.event_data.NewProcessName ObjectClass: winlog.event_data.ObjectClass ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName ParentCommandLine: winlog.event_data.ParentCommandLine ParentProcessName: winlog.event_data.ParentProcessName ParentImage: winlog.event_data.ParentImage Path: winlog.event_data.Path PipeName: winlog.event_data.PipeName ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: winlog.event_data.ProcessName Properties: winlog.event_data.Properties SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName ShareName: winlog.event_data.ShareName Signature: winlog.event_data.Signature Source: winlog.event_data.Source SourceImage: winlog.event_data.SourceImage SourceIp: winlog.event_data.SourceIp StartModule: winlog.event_data.StartModule Status: winlog.event_data.Status SubjectUserName: winlog.event_data.SubjectUserName SubjectUserSid: winlog.event_data.SubjectUserSid TargetFilename: winlog.event_data.TargetFilename Targetfilename: winlog.event_data.TargetFilename TargetImage: winlog.event_data.TargetImage TargetObject: winlog.event_data.TargetObject TicketEncryptionType: winlog.event_data.TicketEncryptionType TicketOptions: winlog.event_data.TicketOptions User: winlog.event_data.User WorkstationName: winlog.event_data.WorkstationName # Channel: WLAN-Autoconfig AND EventID: 8001 AuthenticationAlgorithm: winlog.event_data.AuthenticationAlgorithm BSSID: winlog.event_data.BSSID BSSType: winlog.event_data.BSSType CipherAlgorithm: winlog.event_data.CipherAlgorithm ConnectionId: winlog.event_data.ConnectionId ConnectionMode: winlog.event_data.ConnectionMode InterfaceDescription: winlog.event_data.InterfaceDescription InterfaceGuid: winlog.event_data.InterfaceGuid OnexEnabled: winlog.event_data.OnexEnabled PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID # Zeek Deep Mappings # Temporary one off rule name fields agent.version: product=zeek: version c-cookie: product=zeek: cookie c-ip: product=zeek: id.orig_h cs-uri: product=zeek: uri clientip: product=zeek: id.orig_h clientIP: product=zeek: id.orig_h dest_domain: product=zeek: host #- query #- server_name dest_ip: product=zeek: id.resp_h dest_port: product=zeek: id.resp_p #TODO:WhatShouldThisBe?==dest: #TODO:WhatShouldThisBe?==destination: #TODO:WhatShouldThisBe?==Destination: destination.hostname: product=zeek: host #- query #- server_name DestinationAddress: product=zeek: id.resp_h dst-ip: product=zeek: id.resp_h dstip: product=zeek: id.resp_h dstport: product=zeek: id.resp_p Host: product=zeek: host #- query #- server_name http_host: product=zeek: host #- query #- server_name http_uri: product=zeek: uri http_url: product=zeek: uri http_user_agent: product=zeek: user_agent http.request.url-query-params: product=zeek: uri HttpMethod: product=zeek: method in_url: product=zeek: uri post_url_parameter: product=zeek: uri Request_Url: product=zeek: uri request_url: product=zeek: uri request_URL: product=zeek: uri RequestUrl: product=zeek: uri response: product=zeek: status_code resource.url: product=zeek: uri resource.URL: product=zeek: uri sc_status: product=zeek: status_code service.response_code: product=zeek: status_code source: product=zeek: id.orig_h SourceAddr: product=zeek: id.orig_h SourceAddress: product=zeek: id.orig_h SourceIP: product=zeek: id.orig_h SourceNetworkAddress: product=zeek: id.orig_h SourcePort: product=zeek: id.orig_p srcip: product=zeek: id.orig_h status: product=zeek: status_code url: product=zeek: uri URL: product=zeek: uri url_query: product=zeek: uri url.query: product=zeek: uri uri_path: product=zeek: uri user_agent: product=zeek: user_agent user_agent.name: product=zeek: user_agent user-agent: product=zeek: user_agent User-Agent: product=zeek: user_agent useragent: product=zeek: user_agent UserAgent: product=zeek: user_agent User_Agent: product=zeek: user_agent web_dest: product=zeek: host #- query #- server_name web.dest: product=zeek: host #- query #- server_name Web.dest: product=zeek: host #- query #- server_name web.host: product=zeek: host #- query #- server_name Web.host: product=zeek: host #- query #- server_name web_method: product=zeek: method Web_method: product=zeek: method web.method: product=zeek: method Web.method: product=zeek: method web_src: product=zeek: id.orig_h web_status: product=zeek: status_code Web_status: product=zeek: status_code web.status: product=zeek: status_code Web.status: product=zeek: status_code web_uri: product=zeek: uri web_url: product=zeek: uri # Already destination.ip: product=zeek: id.resp_h destination.port: product=zeek: id.resp_p http.request.body.content: product=zeek: post_body #source.domain: source.ip: product=zeek: id.orig_h source.port: product=zeek: id.orig_p