forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathzeek.json
682 lines (682 loc) · 41.4 KB
/
zeek.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
{
"template": {
"settings" : {
"index" : {
"mapping.total_fields.limit" : "6000",
"mapping.nested_fields.limit" : "250",
"max_docvalue_fields_search" : "200"
}
},
"mappings": {
"properties": {
"zeek.analyzer.cause": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.analyzer.analyzer_kind": { "type": "keyword" },
"zeek.analyzer.analyzer_name": { "type": "keyword" },
"zeek.analyzer.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.analyzer.failure_data": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.conn.conn_state": { "type": "keyword" },
"zeek.conn.conn_state_description": { "type": "keyword" },
"zeek.conn.duration": { "type": "float" },
"zeek.conn.history": { "type": "keyword" },
"zeek.conn.inner_vlan": { "type": "integer" },
"zeek.conn.ja4l": { "type": "keyword" },
"zeek.conn.ja4ls": { "type": "keyword" },
"zeek.conn.ja4t": { "type": "keyword" },
"zeek.conn.ja4ts": { "type": "keyword" },
"zeek.conn.local_orig": { "type": "keyword" },
"zeek.conn.local_resp": { "type": "keyword" },
"zeek.conn.missed_bytes": { "type": "long" },
"zeek.conn.orig_bytes": { "type": "long" },
"zeek.conn.orig_ip_bytes": { "type": "long" },
"zeek.conn.orig_pkts": { "type": "integer" },
"zeek.conn.resp_bytes": { "type": "long" },
"zeek.conn.resp_ip_bytes": { "type": "long" },
"zeek.conn.resp_pkts": { "type": "integer" },
"zeek.conn.tunnel_parents": { "type": "keyword" },
"zeek.conn.vlan": { "type": "integer" },
"zeek.dce_rpc.endpoint": { "type": "keyword" },
"zeek.dce_rpc.named_pipe": { "type": "keyword" },
"zeek.dce_rpc.operation": { "type": "keyword" },
"zeek.dce_rpc.rtt": { "type": "float" },
"zeek.dhcp.assigned_ip": { "type": "ip" },
"zeek.dhcp.client_fqdn": { "type": "keyword" },
"zeek.dhcp.client_message": { "type": "keyword" },
"zeek.dhcp.client_software": { "type": "keyword" },
"zeek.dhcp.domain": { "type": "keyword" },
"zeek.dhcp.duration": { "type": "float" },
"zeek.dhcp.host_name": { "type": "keyword" },
"zeek.dhcp.lease_time": { "type": "float" },
"zeek.dhcp.mac": { "type": "keyword" },
"zeek.dhcp.msg_types": { "type": "keyword" },
"zeek.dhcp.requested_ip": { "type": "ip" },
"zeek.dhcp.server_message": { "type": "keyword" },
"zeek.dhcp.server_software": { "type": "keyword" },
"zeek.dhcp.trans_id": { "type": "keyword" },
"zeek.dns.AA": { "type": "keyword" },
"zeek.dns.answers": { "type": "keyword" },
"zeek.dns.qclass": { "type": "keyword" },
"zeek.dns.qclass_name": { "type": "keyword" },
"zeek.dns.qtype": { "type": "keyword" },
"zeek.dns.qtype_name": { "type": "keyword" },
"zeek.dns.query": { "type": "keyword" },
"zeek.dns.RA": { "type": "keyword" },
"zeek.dns.rcode": { "type": "short" },
"zeek.dns.rcode_name": { "type": "keyword" },
"zeek.dns.RD": { "type": "keyword" },
"zeek.dns.rejected": { "type": "keyword" },
"zeek.dns.rtt": { "type": "float" },
"zeek.dns.TC": { "type": "keyword" },
"zeek.dns.trans_id": { "type": "keyword" },
"zeek.dns.TTLs": { "type": "float" },
"zeek.dns.Z": { "type": "keyword" },
"zeek.dpd.failure_reason": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.dpd.service": { "type": "keyword" },
"zeek.files.analyzers": { "type": "keyword" },
"zeek.files.conn_uids": { "type": "keyword" },
"zeek.files.depth": { "type": "integer" },
"zeek.files.duration": { "type": "float" },
"zeek.files.extracted": { "type": "keyword" },
"zeek.files.extracted_cutoff": { "type": "keyword" },
"zeek.files.extracted_size": { "type": "long" },
"zeek.files.extracted_uri": { "type": "keyword" },
"zeek.files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.files.ftime": { "type": "date" },
"zeek.files.local_orig": { "type": "keyword" },
"zeek.files.md5": { "type": "keyword" },
"zeek.files.mime_type": { "type": "keyword" },
"zeek.files.missing_bytes": { "type": "long" },
"zeek.files.overflow_bytes": { "type": "long" },
"zeek.files.parent_fuid": { "type": "keyword" },
"zeek.files.rx_hosts": { "type": "ip" },
"zeek.files.seen_bytes": { "type": "long" },
"zeek.files.sha1": { "type": "keyword" },
"zeek.files.sha256": { "type": "keyword" },
"zeek.files.timedout": { "type": "keyword" },
"zeek.files.total_bytes": { "type": "long" },
"zeek.files.tx_hosts": { "type": "ip" },
"zeek.ftp.arg": { "type": "keyword" },
"zeek.ftp.command": { "type": "keyword" },
"zeek.ftp.data_channel.orig_h": { "type": "ip" },
"zeek.ftp.data_channel.passive": { "type": "keyword" },
"zeek.ftp.data_channel.resp_h": { "type": "ip" },
"zeek.ftp.data_channel.resp_p": { "type": "integer" },
"zeek.ftp.file_size": { "type": "long" },
"zeek.ftp.mime_type": { "type": "keyword" },
"zeek.ftp.reply_code": { "type": "short" },
"zeek.ftp.reply_msg": { "type": "keyword" },
"zeek.fuid": { "type": "keyword" },
"zeek.gquic.cyu": { "type": "keyword" },
"zeek.gquic.cyutags": { "type": "keyword" },
"zeek.gquic.server_name": { "type": "keyword" },
"zeek.gquic.tag_count": { "type": "integer" },
"zeek.gquic.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.gquic.version": { "type": "keyword" },
"zeek.http.client_header_names": { "type": "keyword" },
"zeek.http.host": { "type": "keyword" },
"zeek.http.info_code": { "type": "short" },
"zeek.http.info_msg": { "type": "keyword" },
"zeek.http.ja4h": { "type": "keyword" },
"zeek.http.method": { "type": "keyword" },
"zeek.http.orig_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.http.orig_fuids": { "type": "keyword" },
"zeek.http.orig_mime_types": { "type": "keyword" },
"zeek.http.origin": { "type": "keyword" },
"zeek.http.post_password_plain": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.http.post_username": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.http.proxied": { "type": "keyword" },
"zeek.http.referrer": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.http.request_body_len": { "type": "long" },
"zeek.http.resp_filenames": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.http.resp_fuids": { "type": "keyword" },
"zeek.http.resp_mime_types": { "type": "keyword" },
"zeek.http.response_body_len": { "type": "long" },
"zeek.http.server_header_names": { "type": "keyword" },
"zeek.http.status_code": { "type": "short" },
"zeek.http.status_msg": { "type": "keyword", "ignore_above": 1024 },
"zeek.http.tags": { "type": "keyword" },
"zeek.http.trans_depth": { "type": "integer" },
"zeek.http.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.http.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.http.version": { "type": "keyword" },
"zeek.intel.cif_confidence": { "type": "float" },
"zeek.intel.file_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.intel.file_mime_type": { "type": "keyword" },
"zeek.intel.seen_node": { "type": "keyword" },
"zeek.intel.seen_where": { "type": "keyword" },
"zeek.ipsec.certificates": { "type": "keyword" },
"zeek.ipsec.doi": { "type": "integer" },
"zeek.ipsec.exchange_type": { "type": "integer" },
"zeek.ipsec.flag_a": { "type": "keyword" },
"zeek.ipsec.flag_c": { "type": "keyword" },
"zeek.ipsec.flag_e": { "type": "keyword" },
"zeek.ipsec.flag_i": { "type": "keyword" },
"zeek.ipsec.flag_r": { "type": "keyword" },
"zeek.ipsec.flag_v": { "type": "keyword" },
"zeek.ipsec.flags": { "type": "keyword" },
"zeek.ipsec.hash": { "type": "keyword" },
"zeek.ipsec.initiator_spi": { "type": "keyword" },
"zeek.ipsec.ke_dh_groups": { "type": "integer" },
"zeek.ipsec.length": { "type": "integer" },
"zeek.ipsec.maj_ver": { "type": "integer" },
"zeek.ipsec.message_id": { "type": "keyword" },
"zeek.ipsec.min_ver": { "type": "integer" },
"zeek.ipsec.notify_messages": { "type": "keyword" },
"zeek.ipsec.proposals": { "type": "integer" },
"zeek.ipsec.protocol_id": { "type": "integer" },
"zeek.ipsec.responder_spi": { "type": "keyword" },
"zeek.ipsec.situation": { "type": "keyword" },
"zeek.ipsec.transform_attributes": { "type": "keyword" },
"zeek.ipsec.transforms": { "type": "keyword" },
"zeek.ipsec.vendor_ids": { "type": "keyword" },
"zeek.irc.addl": { "type": "keyword" },
"zeek.irc.command": { "type": "keyword" },
"zeek.irc.dcc_file_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.irc.dcc_file_size": { "type": "long" },
"zeek.irc.dcc_mime_type": { "type": "keyword" },
"zeek.irc.nick": { "type": "keyword" },
"zeek.irc.value": { "type": "keyword" },
"zeek.kerberos.cipher": { "type": "keyword" },
"zeek.kerberos.client_cert_fuid": { "type": "keyword" },
"zeek.kerberos.client_cert_subject": { "type": "keyword" },
"zeek.kerberos.cname": { "type": "keyword" },
"zeek.kerberos.error_msg": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.kerberos.forwardable": { "type": "keyword" },
"zeek.kerberos.from": { "type": "date" },
"zeek.kerberos.renewable": { "type": "keyword" },
"zeek.kerberos.request_type": { "type": "keyword" },
"zeek.kerberos.server_cert_fuid": { "type": "keyword" },
"zeek.kerberos.server_cert_subject": { "type": "keyword" },
"zeek.kerberos.sname": { "type": "keyword" },
"zeek.kerberos.success": { "type": "keyword" },
"zeek.kerberos.till": { "type": "date" },
"zeek.known_certs.issuer_subject": { "type": "keyword" },
"zeek.known_certs.serial": { "type": "keyword" },
"zeek.known_certs.subject": { "type": "keyword" },
"zeek.known_routers.ttl": { "type": "integer" },
"zeek.known_routers.hlim": { "type": "integer" },
"zeek.ldap.argument": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.ldap.message_id": { "type": "keyword" },
"zeek.ldap.object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ldap.operation": { "type": "keyword" },
"zeek.ldap.result_code": { "type": "keyword" },
"zeek.ldap.result_message": { "type": "keyword" },
"zeek.ldap.version": { "type": "integer" },
"zeek.ldap_search.attributes": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.ldap_search.base_object": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ldap_search.deref": { "type": "keyword" },
"zeek.ldap_search.filter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.ldap_search.message_id": { "type": "keyword" },
"zeek.ldap_search.result_code": { "type": "keyword" },
"zeek.ldap_search.result_count": { "type": "integer" },
"zeek.ldap_search.result_message": { "type": "keyword" },
"zeek.ldap_search.scope": { "type": "keyword" },
"zeek.login.client_user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.login.confused": { "type": "keyword" },
"zeek.login.success": { "type": "keyword" },
"zeek.mqtt_connect.client_id": { "type": "keyword" },
"zeek.mqtt_connect.connect_status": { "type": "keyword" },
"zeek.mqtt_connect.proto_name": { "type": "keyword" },
"zeek.mqtt_connect.proto_version": { "type": "keyword" },
"zeek.mqtt_connect.will_payload": { "type": "keyword" },
"zeek.mqtt_connect.will_topic": { "type": "keyword" },
"zeek.mqtt_publish.from_client": { "type": "keyword" },
"zeek.mqtt_publish.payload": { "type": "keyword" },
"zeek.mqtt_publish.payload_dict.messageType": { "type": "keyword" },
"zeek.mqtt_publish.payload_len": { "type": "integer" },
"zeek.mqtt_publish.qos": { "type": "keyword" },
"zeek.mqtt_publish.retain": { "type": "keyword" },
"zeek.mqtt_publish.status": { "type": "keyword" },
"zeek.mqtt_publish.topic": { "type": "keyword" },
"zeek.mqtt_subscribe.ack": { "type": "keyword" },
"zeek.mqtt_subscribe.action": { "type": "keyword" },
"zeek.mqtt_subscribe.granted_qos_level": { "type": "integer" },
"zeek.mqtt_subscribe.qos_levels": { "type": "integer" },
"zeek.mqtt_subscribe.topics": { "type": "keyword" },
"zeek.mysql.arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.mysql.cmd": { "type": "keyword" },
"zeek.mysql.response": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.mysql.rows": { "type": "integer" },
"zeek.mysql.success": { "type": "keyword" },
"zeek.notice.actions": { "type": "keyword" },
"zeek.notice.dropped": { "type": "keyword" },
"zeek.notice.dst": { "type": "ip" },
"zeek.notice.file_desc": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.notice.file_mime_type": { "type": "keyword" },
"zeek.notice.msg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.notice.n": { "type": "integer" },
"zeek.notice.note": { "type": "keyword" },
"zeek.notice.p": { "type": "integer" },
"zeek.notice.peer_descr": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.notice.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.notice.remote_location_country_code": { "type": "keyword" },
"zeek.notice.remote_location_latitude": { "type": "float" },
"zeek.notice.remote_location_longitude": { "type": "float" },
"zeek.notice.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.notice.src": { "type": "ip" },
"zeek.notice.sub": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.notice.suppress_for": { "type": "float" },
"zeek.ntlm.domain": { "type": "keyword" },
"zeek.ntlm.host": { "type": "keyword" },
"zeek.ntlm.server_dns_computer": { "type": "keyword" },
"zeek.ntlm.server_nb_computer": { "type": "keyword" },
"zeek.ntlm.server_tree": { "type": "keyword" },
"zeek.ntlm.status": { "type": "keyword" },
"zeek.ntlm.success": { "type": "keyword" },
"zeek.ntp.mode": { "type": "keyword" },
"zeek.ntp.mode_str": { "type": "keyword" },
"zeek.ntp.num_exts": { "type": "integer" },
"zeek.ntp.org_time": { "type": "date" },
"zeek.ntp.poll": { "type": "float" },
"zeek.ntp.precision": { "type": "float" },
"zeek.ntp.rec_time": { "type": "date" },
"zeek.ntp.ref_id": { "type": "keyword" },
"zeek.ntp.ref_time": { "type": "date" },
"zeek.ntp.root_delay": { "type": "float" },
"zeek.ntp.root_disp": { "type": "float" },
"zeek.ntp.stratum": { "type": "keyword" },
"zeek.ntp.version": { "type": "integer" },
"zeek.ntp.xmt_time": { "type": "date" },
"zeek.ocsp.certStatus": { "type": "keyword" },
"zeek.ocsp.hashAlgorithm": { "type": "keyword" },
"zeek.ocsp.issuerKeyHash": { "type": "keyword" },
"zeek.ocsp.issuerNameHash": { "type": "keyword" },
"zeek.ocsp.nextUpdate": { "type": "date" },
"zeek.ocsp.revokereason": { "type": "keyword" },
"zeek.ocsp.revoketime": { "type": "date" },
"zeek.ocsp.serialNumber": { "type": "keyword" },
"zeek.ocsp.thisUpdate": { "type": "date" },
"zeek.ospf.advert_router": { "type": "ip" },
"zeek.ospf.area_id": { "type": "ip" },
"zeek.ospf.backup_router": { "type": "ip" },
"zeek.ospf.desig_router": { "type": "ip" },
"zeek.ospf.dest_router_id": { "type": "ip" },
"zeek.ospf.fwd_addrs": { "type": "ip" },
"zeek.ospf.interface_id": { "type": "integer" },
"zeek.ospf.intra_prefixes": { "type": "keyword" },
"zeek.ospf.link_data": { "type": "ip" },
"zeek.ospf.link_id": { "type": "ip" },
"zeek.ospf.link_prefixes": { "type": "keyword" },
"zeek.ospf.link_state_id": { "type": "ip" },
"zeek.ospf.link_type": { "type": "keyword" },
"zeek.ospf.lsa_type": { "type": "keyword" },
"zeek.ospf.metric": { "type": "integer" },
"zeek.ospf.metrics": { "type": "long" },
"zeek.ospf.neighbor_interface_id": { "type": "integer" },
"zeek.ospf.neighbor_router_id": { "type": "ip" },
"zeek.ospf.neighbors": { "type": "ip" },
"zeek.ospf.netmask": { "type": "ip" },
"zeek.ospf.ospf_type": { "type": "keyword" },
"zeek.ospf.prefix": { "type": "keyword" },
"zeek.ospf.route_tags": { "type": "integer" },
"zeek.ospf.router_id": { "type": "ip" },
"zeek.ospf.routers": { "type": "ip" },
"zeek.ospf.version": { "type": "integer" },
"zeek.pe.compile_ts": { "type": "date" },
"zeek.pe.has_cert_table": { "type": "keyword" },
"zeek.pe.has_debug_data": { "type": "keyword" },
"zeek.pe.has_export_table": { "type": "keyword" },
"zeek.pe.has_import_table": { "type": "keyword" },
"zeek.pe.is_64bit": { "type": "keyword" },
"zeek.pe.is_exe": { "type": "keyword" },
"zeek.pe.machine": { "type": "keyword" },
"zeek.pe.os": { "type": "keyword" },
"zeek.pe.section_names": { "type": "keyword" },
"zeek.pe.subsystem": { "type": "keyword" },
"zeek.pe.uses_aslr": { "type": "keyword" },
"zeek.pe.uses_code_integrity": { "type": "keyword" },
"zeek.pe.uses_dep": { "type": "keyword" },
"zeek.pe.uses_seh": { "type": "keyword" },
"zeek.postgresql.database": { "type": "keyword" },
"zeek.postgresql.application_name": { "type": "keyword" },
"zeek.postgresql.frontend": { "type": "keyword" },
"zeek.postgresql.frontend_arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.postgresql.backend": { "type": "keyword" },
"zeek.postgresql.backend_arg": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.postgresql.rows": { "type": "long" },
"zeek.radius.connect_info": { "type": "keyword" },
"zeek.radius.framed_addr": { "type": "ip" },
"zeek.radius.mac": { "type": "keyword" },
"zeek.radius.reply_msg": { "type": "keyword" },
"zeek.radius.result": { "type": "keyword" },
"zeek.radius.ttl": { "type": "float" },
"zeek.radius.tunnel_client": { "type": "keyword" },
"zeek.rdp.cert_count": { "type": "integer" },
"zeek.rdp.cert_permanent": { "type": "keyword" },
"zeek.rdp.cert_type": { "type": "keyword" },
"zeek.rdp.client_build": { "type": "keyword" },
"zeek.rdp.client_channels": { "type": "keyword" },
"zeek.rdp.client_dig_product_id": { "type": "keyword" },
"zeek.rdp.client_name": { "type": "keyword" },
"zeek.rdp.cookie": { "type": "keyword" },
"zeek.rdp.desktop_height": { "type": "integer" },
"zeek.rdp.desktop_width": { "type": "integer" },
"zeek.rdp.encryption_level": { "type": "keyword" },
"zeek.rdp.encryption_method": { "type": "keyword" },
"zeek.rdp.keyboard_layout": { "type": "keyword" },
"zeek.rdp.requested_color_depth": { "type": "keyword" },
"zeek.rdp.result": { "type": "keyword" },
"zeek.rdp.security_protocol": { "type": "keyword" },
"zeek.rfb.auth": { "type": "keyword" },
"zeek.rfb.authentication_method": { "type": "keyword" },
"zeek.rfb.client_major_version": { "type": "keyword" },
"zeek.rfb.client_minor_version": { "type": "keyword" },
"zeek.rfb.desktop_name": { "type": "keyword" },
"zeek.rfb.height": { "type": "integer" },
"zeek.rfb.server_major_version": { "type": "keyword" },
"zeek.rfb.server_minor_version": { "type": "keyword" },
"zeek.rfb.share_flag": { "type": "keyword" },
"zeek.rfb.width": { "type": "integer" },
"zeek.signatures.hits": {
"type": "nested",
"properties": {
"Capa": { "type": "keyword" },
"ClamAV": { "type": "keyword" },
"Yara": { "type": "keyword" }
}
},
"zeek.signatures.host_count": { "type": "integer" },
"zeek.signatures.signature_count": { "type": "integer" },
"zeek.signatures.signature_id": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.signatures.sub_message": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.sip.call_id": { "type": "keyword" },
"zeek.sip.content_type": { "type": "keyword" },
"zeek.sip.date": { "type": "keyword" },
"zeek.sip.method": { "type": "keyword" },
"zeek.sip.reply_to": { "type": "keyword" },
"zeek.sip.request_body_len": { "type": "integer" },
"zeek.sip.request_from": { "type": "keyword" },
"zeek.sip.request_path": { "type": "keyword" },
"zeek.sip.request_to": { "type": "keyword" },
"zeek.sip.response_body_len": { "type": "integer" },
"zeek.sip.response_from": { "type": "keyword" },
"zeek.sip.response_path": { "type": "keyword" },
"zeek.sip.response_to": { "type": "keyword" },
"zeek.sip.seq": { "type": "keyword" },
"zeek.sip.status_code": { "type": "short" },
"zeek.sip.status_msg": { "type": "keyword" },
"zeek.sip.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.sip.trans_depth": { "type": "integer" },
"zeek.sip.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.sip.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.sip.version": { "type": "keyword" },
"zeek.sip.warning": { "type": "keyword" },
"zeek.smb_cmd.argument": { "type": "keyword" },
"zeek.smb_cmd.command": { "type": "keyword" },
"zeek.smb_cmd.rtt": { "type": "float" },
"zeek.smb_cmd.status": { "type": "keyword" },
"zeek.smb_cmd.sub_command": { "type": "keyword" },
"zeek.smb_cmd.tree": { "type": "keyword" },
"zeek.smb_cmd.tree_service": { "type": "keyword" },
"zeek.smb_cmd.user": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.smb_cmd.version": { "type": "keyword" },
"zeek.smb_files.action": { "type": "keyword" },
"zeek.smb_files.data_len_req": { "type": "long" },
"zeek.smb_files.data_len_rsp": { "type": "long" },
"zeek.smb_files.data_offset_req": { "type": "long" },
"zeek.smb_files.name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smb_files.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smb_files.prev_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smb_files.size": { "type": "long" },
"zeek.smb_files.times_accessed": { "type": "date" },
"zeek.smb_files.times_changed": { "type": "date" },
"zeek.smb_files.times_created": { "type": "date" },
"zeek.smb_files.times_modified": { "type": "date" },
"zeek.smb_files.ts": { "type": "date" },
"zeek.smb_files.orig_h": { "type": "ip" },
"zeek.smb_files.orig_p": { "type": "integer" },
"zeek.smb_files.resp_h": { "type": "ip" },
"zeek.smb_files.resp_p": { "type": "integer" },
"zeek.smb_mapping.native_file_system": { "type": "keyword" },
"zeek.smb_mapping.path": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smb_mapping.resource_type": { "type": "keyword" },
"zeek.smb_mapping.share_type": { "type": "keyword" },
"zeek.smtp.cc": { "type": "keyword" },
"zeek.smtp.date": { "type": "keyword" },
"zeek.smtp.first_received": { "type": "keyword" },
"zeek.smtp.from": { "type": "keyword" },
"zeek.smtp.helo": { "type": "keyword" },
"zeek.smtp.in_reply_to": { "type": "keyword" },
"zeek.smtp.is_webmail": { "type": "keyword" },
"zeek.smtp.last_reply": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smtp.last_reply_code": { "type": "keyword" },
"zeek.smtp.last_reply_msg": { "type": "keyword" },
"zeek.smtp.mailfrom": { "type": "keyword" },
"zeek.smtp.msg_id": { "type": "keyword" },
"zeek.smtp.path": { "type": "ip" },
"zeek.smtp.rcptto": { "type": "keyword" },
"zeek.smtp.reply_to": { "type": "keyword" },
"zeek.smtp.second_received": { "type": "keyword" },
"zeek.smtp.subject": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.smtp.tls": { "type": "keyword" },
"zeek.smtp.to": { "type": "keyword" },
"zeek.smtp.trans_depth": { "type": "integer" },
"zeek.smtp.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.smtp.x_originating_ip": { "type": "ip" },
"zeek.snmp.community": { "type": "keyword" },
"zeek.snmp.display_string": { "type": "keyword" },
"zeek.snmp.duration": { "type": "float" },
"zeek.snmp.get_bulk_requests": { "type": "integer" },
"zeek.snmp.get_requests": { "type": "integer" },
"zeek.snmp.get_responses": { "type": "integer" },
"zeek.snmp.set_requests": { "type": "integer" },
"zeek.snmp.up_since": { "type": "date" },
"zeek.snmp.version": { "type": "keyword" },
"zeek.socks.bound_host": { "type": "ip" },
"zeek.socks.bound_name": { "type": "keyword" },
"zeek.socks.bound_port": { "type": "integer" },
"zeek.socks.request_host": { "type": "ip" },
"zeek.socks.request_name": { "type": "keyword" },
"zeek.socks.request_port": { "type": "integer" },
"zeek.socks.server_status": { "type": "keyword" },
"zeek.socks.version": { "type": "integer" },
"zeek.software.name": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.software.software_type": { "type": "keyword" },
"zeek.software.unparsed_version": { "type": "keyword", "ignore_above": 1024 },
"zeek.software.url": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.software.version_addl": { "type": "keyword", "ignore_above": 1024 },
"zeek.software.version_major": { "type": "integer" },
"zeek.software.version_minor": { "type": "integer" },
"zeek.software.version_minor2": { "type": "integer" },
"zeek.software.version_minor3": { "type": "integer" },
"zeek.ssh.auth_attempts": { "type": "integer" },
"zeek.ssh.auth_success": { "type": "keyword" },
"zeek.ssh.cipher_alg": { "type": "keyword" },
"zeek.ssh.client": { "type": "keyword" },
"zeek.ssh.compression_alg": { "type": "keyword" },
"zeek.ssh.cshka": { "type": "keyword" },
"zeek.ssh.direction": { "type": "keyword" },
"zeek.ssh.hassh": { "type": "keyword" },
"zeek.ssh.hasshAlgorithms": { "type": "keyword" },
"zeek.ssh.hasshServer": { "type": "keyword" },
"zeek.ssh.hasshServerAlgorithms": { "type": "keyword" },
"zeek.ssh.hasshVersion": { "type": "keyword" },
"zeek.ssh.ja4ssh": { "type": "keyword" },
"zeek.ssh.host_key": { "type": "keyword" },
"zeek.ssh.host_key_alg": { "type": "keyword" },
"zeek.ssh.kex_alg": { "type": "keyword" },
"zeek.ssh.mac_alg": { "type": "keyword" },
"zeek.ssh.remote_location_city": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.ssh.remote_location_country_code": { "type": "keyword" },
"zeek.ssh.remote_location_latitude": { "type": "float" },
"zeek.ssh.remote_location_longitude": { "type": "float" },
"zeek.ssh.remote_location_region": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text" } } },
"zeek.ssh.server": { "type": "keyword" },
"zeek.ssh.sshka": { "type": "keyword" },
"zeek.ssh.version": { "type": "integer" },
"zeek.ssl.cert_chain_fps": { "type": "keyword" },
"zeek.ssl.cert_chain_fuids": { "type": "keyword" },
"zeek.ssl.cipher": { "type": "keyword" },
"zeek.ssl.client_cert_chain_fps": { "type": "keyword" },
"zeek.ssl.client_cert_chain_fuids": { "type": "keyword" },
"zeek.ssl.client_issuer.C": { "type": "keyword" },
"zeek.ssl.client_issuer.CN": { "type": "keyword" },
"zeek.ssl.client_issuer.DC": { "type": "keyword" },
"zeek.ssl.client_issuer.emailAddress": { "type": "keyword" },
"zeek.ssl.client_issuer.GN": { "type": "keyword" },
"zeek.ssl.client_issuer.initials": { "type": "keyword" },
"zeek.ssl.client_issuer.L": { "type": "keyword" },
"zeek.ssl.client_issuer.O": { "type": "keyword" },
"zeek.ssl.client_issuer.OU": { "type": "keyword" },
"zeek.ssl.client_issuer.pseudonym": { "type": "keyword" },
"zeek.ssl.client_issuer.serialNumber": { "type": "keyword" },
"zeek.ssl.client_issuer.SN": { "type": "keyword" },
"zeek.ssl.client_issuer.ST": { "type": "keyword" },
"zeek.ssl.client_issuer.title": { "type": "keyword" },
"zeek.ssl.client_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ssl.client_subject.C": { "type": "keyword" },
"zeek.ssl.client_subject.CN": { "type": "keyword" },
"zeek.ssl.client_subject.emailAddress": { "type": "keyword" },
"zeek.ssl.client_subject.GN": { "type": "keyword" },
"zeek.ssl.client_subject.initials": { "type": "keyword" },
"zeek.ssl.client_subject.L": { "type": "keyword" },
"zeek.ssl.client_subject.O": { "type": "keyword" },
"zeek.ssl.client_subject.OU": { "type": "keyword" },
"zeek.ssl.client_subject.pseudonym": { "type": "keyword" },
"zeek.ssl.client_subject.serialNumber": { "type": "keyword" },
"zeek.ssl.client_subject.SN": { "type": "keyword" },
"zeek.ssl.client_subject.ST": { "type": "keyword" },
"zeek.ssl.client_subject.title": { "type": "keyword" },
"zeek.ssl.client_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ssl.curve": { "type": "keyword" },
"zeek.ssl.established": { "type": "keyword" },
"zeek.ssl.issuer.C": { "type": "keyword" },
"zeek.ssl.issuer.CN": { "type": "keyword" },
"zeek.ssl.issuer.DC": { "type": "keyword" },
"zeek.ssl.issuer.emailAddress": { "type": "keyword" },
"zeek.ssl.issuer.GN": { "type": "keyword" },
"zeek.ssl.issuer.initials": { "type": "keyword" },
"zeek.ssl.issuer.L": { "type": "keyword" },
"zeek.ssl.issuer.O": { "type": "keyword" },
"zeek.ssl.issuer.OU": { "type": "keyword" },
"zeek.ssl.issuer.pseudonym": { "type": "keyword" },
"zeek.ssl.issuer.serialNumber": { "type": "keyword" },
"zeek.ssl.issuer.SN": { "type": "keyword" },
"zeek.ssl.issuer.ST": { "type": "keyword" },
"zeek.ssl.issuer.title": { "type": "keyword" },
"zeek.ssl.issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ssl.last_alert": { "type": "keyword" },
"zeek.ssl.next_protocol": { "type": "keyword" },
"zeek.ssl.resumed": { "type": "keyword" },
"zeek.ssl.server_name": { "type": "keyword" },
"zeek.ssl.sni_matches_cert": { "type": "keyword" },
"zeek.ssl.ssl_history": { "type": "keyword" },
"zeek.ssl.ssl_version": { "type": "keyword" },
"zeek.ssl.subject.C": { "type": "keyword" },
"zeek.ssl.subject.CN": { "type": "keyword" },
"zeek.ssl.subject.description": { "type": "keyword" },
"zeek.ssl.subject.emailAddress": { "type": "keyword" },
"zeek.ssl.subject.GN": { "type": "keyword" },
"zeek.ssl.subject.initials": { "type": "keyword" },
"zeek.ssl.subject.L": { "type": "keyword" },
"zeek.ssl.subject.O": { "type": "keyword" },
"zeek.ssl.subject.OU": { "type": "keyword" },
"zeek.ssl.subject.postalCode": { "type": "keyword" },
"zeek.ssl.subject.pseudonym": { "type": "keyword" },
"zeek.ssl.subject.serialNumber": { "type": "keyword" },
"zeek.ssl.subject.SN": { "type": "keyword" },
"zeek.ssl.subject.ST": { "type": "keyword" },
"zeek.ssl.subject.street": { "type": "keyword" },
"zeek.ssl.subject.title": { "type": "keyword" },
"zeek.ssl.subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.ssl.validation_status": { "type": "keyword" },
"zeek.stun.attr_type": { "type": "keyword" },
"zeek.stun.attr_val": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.stun.class": { "type": "keyword" },
"zeek.stun.method": { "type": "keyword" },
"zeek.stun.trans_id": { "type": "keyword" },
"zeek.stun_nat.lan_addr": { "type": "keyword" },
"zeek.stun_nat.wan_addr": { "type": "ip" },
"zeek.stun_nat.wan_port": { "type": "integer" },
"zeek.syslog.facility": { "type": "keyword" },
"zeek.syslog.message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.syslog.severity": { "type": "keyword" },
"zeek.tds.command": { "type": "keyword" },
"zeek.tds_rpc.parameter": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.tds_rpc.parameters": { "type": "nested" },
"zeek.tds_rpc.procedure_name": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.tds_sql_batch.header_type": { "type": "keyword" },
"zeek.tds_sql_batch.query": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.tftp.block_acked": { "type": "integer" },
"zeek.tftp.block_sent": { "type": "integer" },
"zeek.tftp.error_code": { "type": "integer" },
"zeek.tftp.error_msg": { "type": "keyword" },
"zeek.tftp.fname": { "type": "keyword" },
"zeek.tftp.mode": { "type": "keyword" },
"zeek.tftp.size": { "type": "integer" },
"zeek.tftp.uid_data": { "type": "keyword" },
"zeek.tftp.wrq": { "type": "keyword" },
"zeek.ts": { "type": "date" },
"zeek.tunnel.action": { "type": "keyword" },
"zeek.tunnel.tunnel_type": { "type": "keyword" },
"zeek.uid": { "type": "keyword" },
"zeek.websocket.host": { "type": "keyword" },
"zeek.websocket.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
"zeek.websocket.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"zeek.websocket.subprotocol": { "type": "keyword" },
"zeek.websocket.client_protocols": { "type": "keyword" },
"zeek.websocket.server_extensions": { "type": "keyword" },
"zeek.websocket.client_extensions": { "type": "keyword" },
"zeek.weird.addl": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.weird.notice": { "type": "keyword" },
"zeek.weird.source": { "type": "keyword" },
"zeek.wireguard.established": { "type": "keyword" },
"zeek.wireguard.initiations": { "type": "integer" },
"zeek.wireguard.receiver_index": { "type": "keyword" },
"zeek.wireguard.responses": { "type": "integer" },
"zeek.wireguard.sender_index": { "type": "keyword" },
"zeek.x509.basic_constraints_ca": { "type": "keyword" },
"zeek.x509.basic_constraints_path_len": { "type": "integer" },
"zeek.x509.certificate_curve": { "type": "keyword" },
"zeek.x509.certificate_exponent": { "type": "keyword" },
"zeek.x509.certificate_issuer.C": { "type": "keyword" },
"zeek.x509.certificate_issuer.CN": { "type": "keyword" },
"zeek.x509.certificate_issuer.DC": { "type": "keyword" },
"zeek.x509.certificate_issuer.emailAddress": { "type": "keyword" },
"zeek.x509.certificate_issuer.GN": { "type": "keyword" },
"zeek.x509.certificate_issuer.initials": { "type": "keyword" },
"zeek.x509.certificate_issuer.L": { "type": "keyword" },
"zeek.x509.certificate_issuer.O": { "type": "keyword" },
"zeek.x509.certificate_issuer.OU": { "type": "keyword" },
"zeek.x509.certificate_issuer.pseudonym": { "type": "keyword" },
"zeek.x509.certificate_issuer.serialNumber": { "type": "keyword" },
"zeek.x509.certificate_issuer.SN": { "type": "keyword" },
"zeek.x509.certificate_issuer.ST": { "type": "keyword" },
"zeek.x509.certificate_issuer.title": { "type": "keyword" },
"zeek.x509.certificate_issuer_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.x509.certificate_key_alg": { "type": "keyword" },
"zeek.x509.certificate_key_length": { "type": "integer" },
"zeek.x509.certificate_key_type": { "type": "keyword" },
"zeek.x509.certificate_not_valid_after": { "type": "date" },
"zeek.x509.certificate_not_valid_before": { "type": "date" },
"zeek.x509.certificate_serial": { "type": "keyword" },
"zeek.x509.certificate_sig_alg": { "type": "keyword" },
"zeek.x509.certificate_subject.C": { "type": "keyword" },
"zeek.x509.certificate_subject.CN": { "type": "keyword" },
"zeek.x509.certificate_subject.DC": { "type": "keyword" },
"zeek.x509.certificate_subject.description": { "type": "keyword" },
"zeek.x509.certificate_subject.emailAddress": { "type": "keyword" },
"zeek.x509.certificate_subject.GN": { "type": "keyword" },
"zeek.x509.certificate_subject.initials": { "type": "keyword" },
"zeek.x509.certificate_subject.L": { "type": "keyword" },
"zeek.x509.certificate_subject.O": { "type": "keyword" },
"zeek.x509.certificate_subject.OU": { "type": "keyword" },
"zeek.x509.certificate_subject.postalCode": { "type": "keyword" },
"zeek.x509.certificate_subject.pseudonym": { "type": "keyword" },
"zeek.x509.certificate_subject.serialNumber": { "type": "keyword" },
"zeek.x509.certificate_subject.SN": { "type": "keyword" },
"zeek.x509.certificate_subject.ST": { "type": "keyword" },
"zeek.x509.certificate_subject.street": { "type": "keyword" },
"zeek.x509.certificate_subject.title": { "type": "keyword" },
"zeek.x509.certificate_subject_full": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.x509.certificate_version": { "type": "integer" },
"zeek.x509.client_cert": { "type": "keyword" },
"zeek.x509.fingerprint": { "type": "keyword" },
"zeek.x509.host_cert": { "type": "keyword" },
"zeek.x509.san_dns": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.x509.san_email": { "type": "keyword" },
"zeek.x509.san_ip": { "type": "ip" },
"zeek.x509.san_uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }
}
}
}
}