security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/tools/config/arcsight-zeek.yml
T
Florian Roth 51a4315ab9 fix: referrer > referer adjustments
2021-12-13 15:47:43 +01:00

1171 lines
25 KiB
YAML
Raw Blame History

title: ArcSight Corelight Zeek and Corelight Opensource Zeek Configuration
order: 20
backends:
- arcsight
- arcsight-esm
logsources:
zeek:
product: zeek
conditions:
deviceVendor: Bro
zeek-category-accounting:
category: accounting
rewrite:
product: zeek
service: syslog
zeek-category-firewall:
category: firewall
rewrite:
product: zeek
service: conn
zeek-category-dns:
category: dns
rewrite:
product: zeek
service: dns
zeek-category-proxy:
category: proxy
rewrite:
product: zeek
service: http
zeek-category-webserver:
category: webserver
rewrite:
product: zeek
service: http
zeek-conn:
product: zeek
service: conn
conditions:
deviceEventCategory: conn
zeek-conn_long:
product: zeek
service: conn_long
conditions:
deviceEventCategory: conn_long
zeek-dce_rpc:
product: zeek
service: dce_rpc
conditions:
deviceEventCategory: dce_rpc
zeek-dns:
product: zeek
service: dns
conditions:
deviceEventCategory: dns
zeek-dnp3:
product: zeek
service: dnp3
conditions:
deviceEventCategory: dnp3
zeek-dpd:
product: zeek
service: dpd
conditions:
deviceEventCategory: dpd
zeek-files:
product: zeek
service: files
conditions:
deviceEventCategory: files
zeek-ftp:
product: zeek
service: ftp
conditions:
deviceEventCategory: ftp
zeek-gquic:
product: zeek
service: gquic
conditions:
deviceEventCategory: gquic
zeek-http:
product: zeek
service: http
conditions:
deviceEventCategory: http
zeek-http2:
product: zeek
service: http2
conditions:
deviceEventCategory: http2
zeek-intel:
product: zeek
service: intel
conditions:
deviceEventCategory: intel
zeek-irc:
product: zeek
service: irc
conditions:
deviceEventCategory: irc
zeek-kerberos:
product: zeek
service: kerberos
conditions:
deviceEventCategory: kerberos
zeek-known_certs:
product: zeek
service: known_certs
conditions:
deviceEventCategory: known_certs
zeek-known_hosts:
product: zeek
service: known_hosts
conditions:
deviceEventCategory: known_hosts
zeek-known_modbus:
product: zeek
service: known_modbus
conditions:
deviceEventCategory: known_modbus
zeek-known_services:
product: zeek
service: known_services
conditions:
deviceEventCategory: known_services
zeek-modbus:
product: zeek
service: modbus
conditions:
deviceEventCategory: modbus
zeek-modbus_register_change:
product: zeek
service: modbus_register_change
conditions:
deviceEventCategory: modbus_register_change
zeek-mqtt_connect:
product: zeek
service: mqtt_connect
conditions:
deviceEventCategory: mqtt_connect
zeek-mqtt_publish:
product: zeek
service: mqtt_publish
conditions:
deviceEventCategory: mqtt_publish
zeek-mqtt_subscribe:
product: zeek
service: mqtt_subscribe
conditions:
deviceEventCategory: mqtt_subscribe
zeek-mysql:
product: zeek
service: mysql
conditions:
deviceEventCategory: mysql
zeek-notice:
product: zeek
service: notice
conditions:
deviceEventCategory: notice
zeek-ntlm:
product: zeek
service: ntlm
conditions:
deviceEventCategory: ntlm
zeek-ntp:
product: zeek
service: ntp
conditions:
deviceEventCategory: ntp
zeek-ocsp:
product: zeek
service: ntp
conditions:
deviceEventCategory: ocsp
zeek-pe:
product: zeek
service: pe
conditions:
deviceEventCategory: pe
zeek-pop3:
product: zeek
service: pop3
conditions:
deviceEventCategory: pop3
zeek-radius:
product: zeek
service: radius
conditions:
deviceEventCategory: radius
zeek-rdp:
product: zeek
service: rdp
conditions:
deviceEventCategory: rdp
zeek-rfb:
product: zeek
service: rfb
conditions:
deviceEventCategory: rfb
zeek-sip:
product: zeek
service: sip
conditions:
deviceEventCategory: sip
zeek-smb_files:
product: zeek
service: smb_files
conditions:
deviceEventCategory: smb_files
zeek-smb_mapping:
product: zeek
service: smb_mapping
conditions:
deviceEventCategory: smb_mapping
zeek-smtp:
product: zeek
service: smtp
conditions:
deviceEventCategory: smtp
zeek-smtp_links:
product: zeek
service: smtp_links
conditions:
deviceEventCategory: smtp_links
zeek-snmp:
product: zeek
service: snmp
conditions:
deviceEventCategory: snmp
zeek-socks:
product: zeek
service: socks
conditions:
deviceEventCategory: socks
zeek-software:
product: zeek
service: software
conditions:
deviceEventCategory: software
zeek-ssh:
product: zeek
service: ssh
conditions:
deviceEventCategory: ssh
zeek-ssl:
product: zeek
service: ssl
conditions:
deviceEventCategory: tls
zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
product: zeek
service: tls
conditions:
deviceEventCategory: tls
zeek-syslog:
product: zeek
service: syslog
conditions:
deviceEventCategory: syslog
zeek-tunnel:
product: zeek
service: tunnel
conditions:
deviceEventCategory: tunnel
zeek-traceroute:
product: zeek
service: traceroute
conditions:
deviceEventCategory: traceroute
zeek-weird:
product: zeek
service: weird
conditions:
deviceEventCategory: weird
zeek-x509:
product: zeek
service: x509
conditions:
deviceEventCategory: x509
zeek-ip_search:
product: zeek
service: network
conditions:
deviceEventCategory:
- conn
- conn_long
- dce_rpc
- dhcp
- dnp3
- dns
- ftp
- gquic
- http
- irc
- kerberos
- modbus
- mqtt_connect
- mqtt_publish
- mqtt_subscribe
- mysql
- ntlm
- ntp
- radius
- rfb
- sip
- smb_files
- smb_mapping
- smtp
- smtp_links
- snmp
- socks
- ssh
- tls #SSL
- tunnel
- weird
fieldmappings:
cs-uri-extension: fileType
cs-uri-path: filePath
s-dns:
- destinationDnsDomain
- destinationHost
# All Logs Applied Mapping & Taxonomy
dst: destinationAddress
dst_ip: destinationAddress
dst_port: destinationPort
host: requestHost
#inner_vlan:
mac: sourceMacAddress
mime_type: fileType
network_application: applicationProtocol
#network_community_id:
network_protocol: transportProtocol
password: message
port_num: sourcePort
proto: transportProtocol
#result:
#rtt:
server_name: destinationHostName
src: sourceAddress
src_ip: sourceAddress
src_port: sourcePort
#success:
uri:
- requestUrl
- requestUrlQuery
user: sourceUserName
username: sourceUserName
user_agent:
- deviceCustomString5
- requestClientApplication
#vlan:
# DNS matching Taxonomy & DNS Category
answer: message
#question_length:
record_type: deviceCustomString1
#parent_domain:
# HTTP matching Taxonomy & Web/Proxy Category
cs-bytes: bytesOut
cs-cookie: message
r-dns:
- destinationDnsDomain
- destinationHost
sc-bytes: bytesIn
sc-status: message
c-uri:
- requestUrl
- requestUrlQuery
c-uri-extension: fileType
c-uri-query:
- requestUrl
- requestUrlQuery
c-uri-stem:
- requestUrl
- requestUrlQuery
c-useragent:
- deviceCustomString5
- requestClientApplication
cs-host:
- destinationDnsDomain
- destinationHost
cs-method: requestMethod
cs-referer:
- deviceCustomString4
- requestContext
cs-version: message
# All log UIDs
#cert_chain_fuids:
#client_cert_chain_fuids:
#client_cert_fuid:
#conn_uids:
#fid:
#fuid:
#fuids:
#id:
#orig_fuids:
#parent_fuid:
#related_fuids:
#resp_fuids:
#server_cert_fuid:
#tunnel_parents:
#uid:
#uids:
#uuid:
# Overlapping fields/mappings (aka: shared fields)
action:
- 'deviceAction'
#service=smb_files:
#service=mqtt:
#service=tunnel:
addl:
- 'message'
#service=dns:
#service=weird:
analyzer:
- 'applicationProtocol'
- 'name'
#service=dpd:
#service=files:
arg:
- 'message'
#auth:
#service=rfb: #RFB does not exist in newer logs, so skipping to cover dns.auth
cipher:
- 'deviceCustomString4'
- 'message'
#service=kerberos:
#service=ssl:
client:
- 'deviceCustomString5'
#service=kerberos:
#service=ssh:
command:
- 'message'
#service=pop3:
#service=ftp:
#service=irc:
date:
#service=sip:
#service=smtp:
duration:
- 'deviceCustomString4'
#service=conn:
#service=files:
#service=snmp:
from:
- 'message'
#service=kerberos:
#service=smtp:
#is_orig:
#service=file:
#service=pop3:
#local_orig:
#service=conn
#service=files
method:
- 'requestMethod'
#service=http:
#service=sip:
msg:
- 'message'
#service=notice:
#service=pop3:
name:
- 'name'
#service=smb_files:
#service=software:
#service=weird:
path:
- 'filePath'
#service=smb_files:
#service=smb_mapping:
#service=smtp:
reply_msg:
- 'message'
#service=ftp:
#service=radius:
reply_to:
- 'message'
#service=sip:
#service=smtp:
response_body_len:
- 'bytesOut'
#service=http:
#service=sip:
request_body_len:
- 'bytesIn'
#service=http:
#service=sip:
service:
- 'applicationProtocol'
#service=kerberos:
#service=smb_mapping:
status:
- 'message'
#service=pop3:
#service=mqtt:
#service=socks:
status_msg:
- 'message'
subject:
- 'message'
#service=known_certs:
#service=sip:
#service=smtp:
#service=ssl:
trans_depth:
- 'deviceCustomNumber1'
#service=http:
#service=sip:
#service=smtp:
version:
- 'message'
- 'deviceCustomString2'
#service=gquic:
#service=ntp:
#service=socks:
#service=snmp:
#service=ssh:
#service=tls:
# Conn and Conn Long
#cache_add_rx_ev:
#cache_add_rx_mpg:
#cache_add_rx_new:
#cache_add_tx_ev:
#cache_add_tx_mpg:
#cache_del_mpg:
#cache_entries:
conn_state: deviceSeverity
#corelight_shunted:
#duration: deviceCustomString4
#history:
#id.orig_h.name_src:
#id.orig_h.names_vals:
#id.resp_h.name_src:
#id.resp_h.name_vals:
#local_orig:
#local_resp:
missed_bytes: deviceCustomNumber1
orig_bytes: bytesOut
#orig_cc:
orig_ip_bytes: deviceCustomNumber2
orig_l2_addr: sourceMacAddress
#orig_pkts:
resp_bytes: bytesIn
#resp_cc:
resp_ip_bytes: deviceCustomNumber3
resp_l2_addr: destinationMacAddress
#resp_pkts:
# DCE-RPC Specific
endpoint: message
named_pipe: message
operation: message
#rtt:
# DHCP
domain: message
host_name: message
lease_time: deviceCustomString4
agent_remote_id: message
assigned_addr: message
circuit_id: message
client_message: message
client_software: message
client_fqdn: message
#mac:sourceMacAddress
msg_orig: message
msg_types: message
requested_addr: message
server_addr: message
server_message: message
server_software: message
subscriber_id: message
# DNS
AA: message
#addl: message
auth: message
answers: message
TTLs: message
RA: message
RD: message
rejected: eventOutcome
TC: message
Z: message
qclass: message
qclass_name: deviceCustomString4
qtype: deviceEventClassId
qtype_name:
- deviceCustomString1
- name
query: destinationDnsDomain
rcode_name: message
rcode: message
rtt: message
trans_id: deviceCustomNumber1
# DNP3
fc_reply: message
fc_request: message
iin: message
# DPD
#analyzer:
failure_reason: message
packet_segment: message
# Files
rx_hosts: destinationHostName
tx_hosts: sourceHostName
#analyzer:
#depth:
#duration:
#extracted:
#extracted_cutoff:
#extracted_size:
#entropy:
md5: fileHash
sha1: fileHash
sha256: fileHash
#is_orig:
#local_orig:
#missing_bytes:
filename: fileName
overflow_bytes: bytesOut
#seen_bytes:
source: filePath
total_bytes: bytesIn
#timedout:
# GQUIC/QUIC
cyu: message
cyutags: message
#server_name: message
tag_count: message
#user_agent: deviceCustomString5
#version:
# FTP
#arg: message
#command: message
cwd: message
data_channel.orig_h: message
data_channel.passive: eventOutcome
data_channel.resp_h: message
data_channel.resp_p: deviceCustomNumber1
passive: message
file_size: fileSize
#mime_type: fileType
#password: message
reply_code: deviceEventClassId
#reply_msg: message
#user: sourceUserName
# HTTP
client_header_names: message
cookie_vars: message
flash_version: message
info_code: message
info_msg: message
omniture: message
orig_filenames: fileName
orig_mime_types: fileType
origin: message
#password: message
post_body: message
proxied: message
referer:
- deviceCustomString4
- requestContext
resp_filenames: fileName
resp_mime_types: fileType
server_header_names: message
status_code: deviceSeverity
#status_msg: message
#trans_depth:
uri_vars: message
#user_agent: deviceCustomString5
#username: sourceUserName
# Intel
file_mime_type: message
file_desc: message
#host:
matched: message
indicator: message
indicator_type: message
node: message
where: message
sources: message
# IRC
dcc_file_name: fileName
dcc_file_size: fileSize
dcc_mime_type: fileType
#command:
nick: message
#user:
value: message
# Kerberos
auth_ticket: message
#cipher: message
#client: message
client_cert_subject: message
error_code: message
error_msg: message
#from: message
forwardable: message
new_ticket: message
renewable: message
request_type: message
server_cert_subject: message
#service: applicationProtocol
#success:
till: message
# Known_Certs
#host: sourceAddress
issuer_subject: deviceCustomString3
#port_num: sourcePort
serial: deviceCustomString4
#subject: message
# Known_Modbus
#host:
device_type: message
# Known_Services
port_proto: transport
#port_num: sourcePort
# Modbus All
delta: message
new_val: message
old_val: message
register: message
# Modbus
func: message
exception: message
track_address: message
# ModBus_Register_Change
#delta: message
#new_val: message
#old_val: message
#register: message
# MQTT_Connect , MQTT_Publish, MQTT_Subscribe
ack: message
#action: message
client_id: message
connect_status: message
from_client: message
granted_qos_level: message
payload: message
payload_len: message
proto_name: message
proto_version: message
qos: message
qos_levels: message
retain: message
#status: message
topic: message
topics: message
will_payload: message
will_topic: message
# MYSQL
#arg: message
cmd: message
response: message
rows: message
#success:
# Notice
actions: deviceEventClassId
#dropped:
#dst: destinationAddress
email_body_sections: message
email_delay_tokens: message
identifier: message
#msg:
n: message
note: message
p: destinationPort
peer_descr: deviceCustomString5
peer_name: deviceCustomString4
#proto: transport
#src: sourceAddress
sub: message
subpress_for: deviceCustomFloatingPoint1
# NTLM
domainname: message
hostname: message
#username: sourceUserName
server_nb_computer_name: message
server_tree_name: message
#success:
server_dns_computer_name: message
# NTP
mode: message
num_exts: message
org_time: message
poll: message
precision: message
rec_time: message
ref_id: message
ref_time: message
root_delay: message
root_disp: message
stratum: message
#version:
xmt_time: message
# OCSP
certStatus: message
hashAlgorithm: message
issuerKeyHash: message
issuerNameHash: message
nextUpdate: message
revokereason: message
revoketime: message
serialNumber: message
thisUpdate: message
# PE
compile_ts: message
has_cert_table: message
has_debug_data: message
has_import_table: message
has_export_table: message
is_64bit: message
is_exe: message
machine: message
os: message
section_names: message
subsystem: message
uses_aslr: message
uses_code_integrity: message
uses_dep: message
uses_seh: message
# POP3
#arg: message
#command: message
current_request: message
current_response: message
data: message
failed_commands: message
has_client_activity: message
#is_orig: message
#msg: message
#password:
pending: message
#status: message
successful_commands: message
#username: sourceUserName
# Radius
connect_info: message
framed_addr: message
#mac:sourceMacAddress
#reply_msg: message
#result:
ttl: message
tunnel_client: message
#username: sourceUserName
# RDP
cert_count: message
cert_permanent: message
cert_type: message
client_build: message
client_dig_product_id: message
client_name: message
cookie: message
desktop_height: message
desktop_width: message
encryption_level: message
encryption_method: message
keyboard_layout: message
requested_color_depth: message
#result:
security_protocol: message
ssl: message
# RFB
#auth:
authentication_method: message
client_major_version: message
client_minor_version: message
desktop_name: message
height: message
server_major_version: message
server_minor_version: message
share_flag: message
width: message
# SIP
call_id: message
content_type: message
#date: message
#method: requestMethod
#reply_to: message
#request_body_len: message
request_from: message
request_path: message
request_to: message
#response_body_len: message
response_from: message
response_path: message
response_to: message
seq: message
#status_code:
#status_msg: message
#subject: message
#trans_depth: deviceCustomNumber1
#uri:
warning: message
#user_agent: deviceCustomString5
# SMB_Files
#action:
#name: fileName
#path: filePath
prev_name: message
size: fileSize
times_accessed: message
times_changed: message
times_created: message
times_modified: message
# SMB_Mapping
native_file_system: message
#path: filePath
share_type: message
#service:
# SMTP
cc: message
#date: message
first_received: message
#from:
helo: message
in_reply_to: message
is_webmail: message
last_reply: message
mailfrom: sourceUserName
#msg_id: message
#path: message
rcptto: message
#reply_to: message
second_received: message
#subject: message
tls: message
to: message
#trans_depth: deviceCustomNumber1
x_originating_ip: message
#user_agent: deviceCustomString5
# SMTP_Links
#host:
#uri:
# SNMP
#duration:
community: message
display_string: message
get_bulk_requests: message
get_requests: message
set_requests: message
up_since: message
#version:
# Socks
#password: message
bound_host: message
bound_name: message
bound_p: message
request_host: message
request_name: message
request_p: message
#status: message
#version: message
# Software
#host:
host_p: sourcePort
version.major: deviceCustomString3
version.minor: deviceCustomString4
version.minor2: message
version.minor3: message
#name:
unparsed_version: message
software_type: deviceEventClassId
#url:
# SSH
#auth_attempts:
auth_success: name
cipher_alg: message
#client: deviceCustomString5
compression_alg:
cshka: message
direction: deviceDirection
hassh: message
hasshAlgorithms: message
hasshServer: message
hasshServerAlgorithms: message
hasshVersion: message
host_key: message
host_key_alg: message
kex_alg: message
mac_alg: message
server: deviceCustomString4
#version:
# SSL / TLS
#cipher: deviceCustomString4
client_issuer: deviceCustomString1
client_subject: sourceUserName
curve: message
established: eventOutcome
issuer: deviceCustomString1
ja3: message
ja3s: message
last_alert: message
next_protocol: message
notary: message
ocsp_status: message
orig_certificate_sha1: message
resp_certificate_sha1: message
resumed: message
#server_name: destinationHostName
#subject: message
valid_ct_logs: message
valid_ct_operators: message
valid_ct_operators_list: message
validation_status: message
#version: deviceCustomString2
version_num: message
# Syslog
facility: message
severity: message
message: message
# Traceroute
#proto: transport
#dst: destinationAddress
#src: sourceAddress
# Tunnel
#action: deviceAction
tunnel_type: name
# Weird
#addl: message
#name: name
notice: message
peer: deviceCustomString4
# X509
basic_constraints.ca: message
basic_constraints.path_len: message
certificate.cn: message
certificate.curve: message
certificate.exponent: message
certificate.issuer: deviceCustomString3
certificate.key_alg: message
certificate.key_length: message
certificate.key_type: message
certificate.not_valid_after: deviceCustomDate2
certificate.not_valid_before: deviceCustomDate1
certificate.serial: message
certificate.sig_alg: message
certificate.subject: message
certificate.version: message
logcert: message
san.dns: message
- destinationDnsDomain
- destinationHost
san.email:
- message
- sourceUserName
san.ip:
- message
- sourceAddress
san.uri:
- requestUrl
- requestUrlQuery
# Few other variations of names from zeek source itself
id_orig_h: sourceAddress
id_orig_p: sourcePort
id_resp_h: destinationAddress
id_resp_p: destinationPort
# Temporary one off rule name fields
cs-uri: requestUrl
destination.domain:
destination.ip: destinationAddress
destination.port: destinationPort
http.response.status_code: deviceSeverity
#http.request.body.content
source.domain:
#sourceAddress: #TONOTE: is arcsight
source.port: sourcePort
agent.version: deviceCustomString2
c-ip: sourceAddress
clientip: sourceAddress
clientIP: sourceAddress
dest_domain:
- url.domain
dest_ip: destinationAddress
dest_port: destinationPort
#TODO:WhatShouldThisBe?==dest:
#TODO:WhatShouldThisBe?==destination:
#TODO:WhatShouldThisBe?==Destination:
destination.hostname: destinationHostName
#DestinationAddress: #TONOTE: is arcsight
#DestinationHostname: #TONOTE: is arcsight
DestinationIp: destinationAddress
DestinationIP: destinationAddress
DestinationPort: destinationPort
dst-ip: destinationAddress
dstip: destinationAddress
dstport: destinationPort
Host: requestHost
#host:
HostVersion: deviceCustomString2
http_host: destinationHostName
http_uri: requestUrl
http_url: requestUrl
http_user_agent:
- deviceCustomString5
- requestClientApplication
http.request.url-query-params:
- requestUrl
- requestUrlQuery
HttpMethod: requestMethod
in_url: requestUrl
#parent_domain:
# - url.registered_domain
# - destination.registered_domain
post_url_parameter: requestUrl
Request_Url: requestUrl
request_url: requestUrl
request_URL: requestUrl
RequestUrl: requestUrl
#response: http.response.status_code
resource.url: requestUrl
resource.URL: requestUrl
sc_status: deviceSeverity
sender_domain: message
service.response_code: deviceSeverity
SourceAddr: sourceAddress
SourceAddress: sourceAddress
SourceIP: sourceAddress
SourceIp: sourceAddress
SourceNetworkAddress:
- source.address
- sourceAddress
SourcePort: sourcePort
srcip: sourceAddress
Status: deviceSeverity
#status: deviceSeverity
url: requestUrl
URL: requestUrl
url_query:
- requestUrl
- requestUrlQuery
url.query:
- requestUrl
- requestUrlQuery
uri_path: requestUrl
#user_agent: user_agent.original
user_agent.name:
- deviceCustomString5
- requestClientApplication
user-agent:
- deviceCustomString5
- requestClientApplication
User-Agent:
- deviceCustomString5
- requestClientApplication
useragent:
- deviceCustomString5
- requestClientApplication
UserAgent:
- deviceCustomString5
- requestClientApplication
User_Agent:
- deviceCustomString5
- requestClientApplication
web_dest: destinationHostName
web.dest: destinationHostName
Web.dest: destinationHostName
web.host: destinationHostName
Web.host: destinationHostName
web_method: requestMethod
Web_method: requestMethod
web.method: requestMethod
Web.method: requestMethod
web_src: sourceAddress
web_status: deviceSeverity
Web_status: deviceSeverity
web.status: deviceSeverity
Web.status: deviceSeverity
web_uri: requestUrl
web_url: requestUrl
Reference in New Issue View Git Blame Copy Permalink