Zeek Integration
editZeek Integration
editVersion |
2.25.0 (View all) |
Compatible Kibana version(s) |
8.12.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
This is an integration for Zeek, which was formerly named Bro. Zeek is a passive, open-source network traffic analyzer. This integrations ingests the logs Zeek produces about the network traffic that it analyzes.
Zeek logs must be output in JSON format. This is normally done by appending the
json-logs policy
to your local.zeek
file. Add this line to your local.zeek
.
@load policy/tuning/json-logs.zeek
Compatibility
editThis module has been developed against Zeek 2.6.1, but is expected to work with other versions of Zeek.
Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X.
Logs
editcapture_loss
editThe capture_loss
dataset collects the Zeek capture_loss.log file,
which contains packet loss rate data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.capture_loss.acks |
Total number of ACKs seen in the previous measurement interval. |
integer |
zeek.capture_loss.gaps |
Number of missed ACKs from the previous measurement interval. |
integer |
zeek.capture_loss.peer |
In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. |
keyword |
zeek.capture_loss.percent_lost |
Percentage of ACKs seen where the data being ACKed wasn’t seen. |
double |
zeek.capture_loss.ts_delta |
The time delay between this measurement and the last. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
connection
editThe connection
dataset collects the Zeek conn.log file, which
contains TCP/UDP/ICMP connection data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.bytes |
Bytes sent from the destination to the source. |
long |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.mac |
MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
destination.packets |
Packets sent from the destination to the source. |
long |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.duration |
Duration of the event in nanoseconds. If |
long |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.bytes |
Total bytes transferred in both directions. If |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.direction |
Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. |
keyword |
network.packets |
Total packets transferred in both directions. If |
long |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.bytes |
Bytes sent from the source to the destination. |
long |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.mac |
MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
source.packets |
Packets sent from the source to the destination. |
long |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.connection.history |
Flags indicating the history of the session. |
keyword |
zeek.connection.icmp.code |
ICMP message code. |
integer |
zeek.connection.icmp.type |
ICMP message type. |
integer |
zeek.connection.inner_vlan |
VLAN identifier. |
integer |
zeek.connection.local_orig |
Indicates whether the session is originated locally. |
boolean |
zeek.connection.local_resp |
Indicates whether the session is responded locally. |
boolean |
zeek.connection.missed_bytes |
Missed bytes for the session. |
long |
zeek.connection.state |
Code indicating the state of the session. |
keyword |
zeek.connection.state_message |
The state of the session. |
keyword |
zeek.connection.vlan |
VLAN identifier. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
dce_rpc
editThe dce_rpc
dataset collects the Zeek dce_rpc.log file, which
contains Distributed Computing Environment/RPC data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.bytes |
Bytes sent from the destination to the source. |
long |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.bytes |
Bytes sent from the source to the destination. |
long |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.dce_rpc.endpoint |
Endpoint name looked up from the uuid. |
keyword |
zeek.dce_rpc.named_pipe |
Remote pipe name. |
keyword |
zeek.dce_rpc.operation |
Operation seen in the call. |
keyword |
zeek.dce_rpc.rtt |
Round trip time from the request to the response. If either the request or response wasn’t seen, this will be null. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
dhcp
editThe dhcp
dataset collects the Zeek dhcp.log file, which contains
DHCP lease data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
client.address |
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.name |
Name given by operators to sections of their network. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
server.address |
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.dhcp.address.assigned |
IP address assigned by the server. |
ip |
zeek.dhcp.address.client |
IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address. |
ip |
zeek.dhcp.address.mac |
Client’s hardware address. |
keyword |
zeek.dhcp.address.requested |
IP address requested by the client. |
ip |
zeek.dhcp.address.server |
IP address of the DHCP server. |
ip |
zeek.dhcp.client_fqdn |
FQDN given by client in Client FQDN option 81. |
keyword |
zeek.dhcp.domain |
Domain given by the server in option 15. |
keyword |
zeek.dhcp.duration |
Duration of the DHCP session representing the time from the first message to the last, in seconds. |
double |
zeek.dhcp.hostname |
Name given by client in Hostname option 12. |
keyword |
zeek.dhcp.id.circuit |
(present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number. |
keyword |
zeek.dhcp.id.remote_agent |
(present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit. |
keyword |
zeek.dhcp.id.subscriber |
(present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer’s DHCP configuration can be given to them correctly no matter where they are physically connected. |
keyword |
zeek.dhcp.lease_time |
IP address lease interval in seconds. |
integer |
zeek.dhcp.msg.client |
Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address. |
keyword |
zeek.dhcp.msg.origin |
(present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field. |
ip |
zeek.dhcp.msg.server |
Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request. |
keyword |
zeek.dhcp.msg.types |
List of DHCP message types seen in this exchange. |
keyword |
zeek.dhcp.software.client |
(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. |
keyword |
zeek.dhcp.software.server |
(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
dnp3
editThe dnp3
dataset collects the Zeek dnp3.log file which contains DNP3
requests and replies.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.bytes |
Bytes sent from the destination to the source. |
long |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.bytes |
Bytes sent from the source to the destination. |
long |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.dnp3.function.reply |
The name of the function message in the reply. |
keyword |
zeek.dnp3.function.request |
The name of the function message in the request. |
keyword |
zeek.dnp3.id |
The response’s internal indication number. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
dns
editThe dns
dataset collects the Zeek dns.log file which contains DNS
activity.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
dns.answers |
An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the |
group |
dns.answers.class |
The class of DNS data contained in this resource record. |
keyword |
dns.answers.data |
The data describing the resource. The meaning of this data depends on the type and class of the resource record. |
keyword |
dns.answers.name |
The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s |
keyword |
dns.answers.ttl |
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. |
long |
dns.answers.type |
The type of data contained in this resource record. |
keyword |
dns.header_flags |
Array of 2 letter DNS header flags. |
keyword |
dns.id |
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. |
keyword |
dns.question.class |
The class of records being queried. |
keyword |
dns.question.name |
The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. |
keyword |
dns.question.registered_domain |
The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". |
keyword |
dns.question.subdomain |
The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. |
keyword |
dns.question.top_level_domain |
The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". |
keyword |
dns.question.type |
The type of record being queried. |
keyword |
dns.resolved_ip |
Array containing all IPs seen in |
ip |
dns.response_code |
The DNS response code. |
keyword |
dns.type |
The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type |
keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.duration |
Duration of the event in nanoseconds. If |
long |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.original |
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from |
keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.dns.AA |
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. |
boolean |
zeek.dns.RA |
The Recursion Available bit in a response message indicates that the name server supports recursive queries. |
boolean |
zeek.dns.RD |
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. |
boolean |
zeek.dns.TC |
The Truncation bit specifies that the message was truncated. |
boolean |
zeek.dns.TTLs |
The caching intervals of the associated RRs described by the answers field. |
double |
zeek.dns.answers |
The set of resource descriptions in the query answer. |
keyword |
zeek.dns.qclass |
The QCLASS value specifying the class of the query. |
long |
zeek.dns.qclass_name |
A descriptive name for the class of the query. |
keyword |
zeek.dns.qtype |
A QTYPE value specifying the type of the query. |
long |
zeek.dns.qtype_name |
A descriptive name for the type of the query. |
keyword |
zeek.dns.query |
The domain name that is the subject of the DNS query. |
keyword |
zeek.dns.rcode |
The response code value in DNS response messages. |
long |
zeek.dns.rcode_name |
A descriptive name for the response code value. |
keyword |
zeek.dns.rejected |
Indicates whether the DNS query was rejected by the server. |
boolean |
zeek.dns.rtt |
Round trip time for the query and response. |
double |
zeek.dns.saw_query |
Whether the full DNS query has been seen. |
boolean |
zeek.dns.saw_reply |
Whether the full DNS reply has been seen. |
boolean |
zeek.dns.total_answers |
The total number of resource records in the reply. |
integer |
zeek.dns.total_replies |
The total number of resource records in the reply message. |
integer |
zeek.dns.trans_id |
DNS transaction identifier. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
dpd
editThe dpd
dataset collects the Zeek dpd.log, which contains dynamic
protocol detection failures.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.dpd.analyzer |
The analyzer that generated the violation. |
keyword |
zeek.dpd.failure_reason |
The textual reason for the analysis failure. |
keyword |
zeek.dpd.packet_segment |
(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
files
editThe files
dataset collects the Zeek files.log file, which contains
file analysis results.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
client.ip |
IP address of the client (IPv4 or IPv6). |
ip |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.hash.md5 |
MD5 hash. |
keyword |
file.hash.sha1 |
SHA1 hash. |
keyword |
file.hash.sha256 |
SHA256 hash. |
keyword |
file.mime_type |
MIME type should identify the format of the file or stream of bytes using IANA[https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. |
keyword |
file.name |
Name of the file including the extension, without the directory. |
keyword |
file.size |
File size in bytes. Only relevant when |
long |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
related.hash |
All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
server.ip |
IP address of the server (IPv4 or IPv6). |
ip |
tags |
List of keywords used to tag each event. |
keyword |
zeek.files.analyzers |
A set of analysis types done during the file analysis. |
keyword |
zeek.files.depth |
A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection. |
long |
zeek.files.duration |
The duration the file was analyzed for. Not the duration of the session. |
double |
zeek.files.entropy |
The information density of the contents of the file. |
double |
zeek.files.extracted |
Local filename of extracted file. |
keyword |
zeek.files.extracted_cutoff |
Indicate whether the file being extracted was cut off hence not extracted completely. |
boolean |
zeek.files.extracted_size |
The number of bytes extracted to disk. |
long |
zeek.files.filename |
Name of the file if available. |
keyword |
zeek.files.fuid |
A file unique identifier. |
keyword |
zeek.files.is_orig |
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. |
boolean |
zeek.files.local_orig |
If the source of this file is a network connection, this field indicates if the data originated from the local network or not. |
boolean |
zeek.files.md5 |
An MD5 digest of the file contents. |
keyword |
zeek.files.mime_type |
Mime type of the file. |
keyword |
zeek.files.missing_bytes |
The number of bytes in the file stream that were completely missed during the process of analysis. |
long |
zeek.files.overflow_bytes |
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled. |
long |
zeek.files.parent_fuid |
Identifier associated with a container file from which this one was extracted as part of the file analysis. |
keyword |
zeek.files.rx_host |
The host that received the file. |
ip |
zeek.files.seen_bytes |
Number of bytes provided to the file analysis engine for the file. |
long |
zeek.files.session_ids |
The sessions that have this file. |
keyword |
zeek.files.sha1 |
A SHA1 digest of the file contents. |
keyword |
zeek.files.sha256 |
A SHA256 digest of the file contents. |
keyword |
zeek.files.source |
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. |
keyword |
zeek.files.timedout |
Whether the file analysis timed out at least once for the file. |
boolean |
zeek.files.total_bytes |
Total number of bytes that are supposed to comprise the full file. |
long |
zeek.files.tx_host |
The host that transferred the file. |
ip |
zeek.session_id |
A unique identifier of the session |
keyword |
ftp
editThe ftp
dataset collects the Zeek ftp.log file, which contains FTP
activity.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.mime_type |
MIME type should identify the format of the file or stream of bytes using IANA[https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. |
keyword |
file.size |
File size in bytes. Only relevant when |
long |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.ftp.arg |
Argument for the command if one is given. |
keyword |
zeek.ftp.capture_password |
Determines if the password will be captured for this request. |
boolean |
zeek.ftp.cmdarg.arg |
Argument for the command if one was given. |
keyword |
zeek.ftp.cmdarg.cmd |
Command. |
keyword |
zeek.ftp.cmdarg.seq |
Counter to track how many commands have been executed. |
integer |
zeek.ftp.command |
Command given by the client. |
keyword |
zeek.ftp.cwd |
Current working directory that this session is in. By making the default value ., we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. |
keyword |
zeek.ftp.data_channel.originating_host |
The host that will be initiating the data connection. |
ip |
zeek.ftp.data_channel.passive |
Whether PASV mode is toggled for control channel. |
boolean |
zeek.ftp.data_channel.response_host |
The host that will be accepting the data connection. |
ip |
zeek.ftp.data_channel.response_port |
The port at which the acceptor is listening for the data connection. |
integer |
zeek.ftp.file.fuid |
(present if base/protocols/ftp/files.bro is loaded) File unique ID. |
keyword |
zeek.ftp.file.mime_type |
Sniffed mime type of file. |
keyword |
zeek.ftp.file.size |
Size of the file if the command indicates a file transfer. |
long |
zeek.ftp.last_auth_requested |
present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used. |
keyword |
zeek.ftp.passive |
Indicates if the session is in active or passive mode. |
boolean |
zeek.ftp.password |
Password for the current FTP session if captured. |
keyword |
zeek.ftp.pending_commands |
Queue for commands that have been sent but not yet responded to are tracked here. |
integer |
zeek.ftp.reply.code |
Reply code from the server in response to the command. |
integer |
zeek.ftp.reply.msg |
Reply message from the server in response to the command. |
keyword |
zeek.ftp.user |
User name for the current FTP session. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
http
editThe http
dataset collects the Zeek http.log file, which contains
HTTP requests and replies.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
http.request.body.bytes |
Size in bytes of the request body. |
long |
http.request.method |
HTTP request method. The value should retain its casing from the original event. For example, |
keyword |
http.request.referrer |
Referrer for this HTTP request. |
keyword |
http.response.body.bytes |
Size in bytes of the response body. |
long |
http.response.status_code |
HTTP response status code. |
long |
http.version |
HTTP version. |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
url.domain |
Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the |
keyword |
url.original |
Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. |
wildcard |
url.original.text |
Multi-field of |
match_only_text |
url.password |
Password of the request. |
keyword |
url.path |
Path of the request, such as "/search". |
wildcard |
url.port |
Port of the request, such as 443. |
long |
url.scheme |
Scheme of the request, such as "https". Note: The |
keyword |
url.username |
Username of the request. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
user_agent.device.name |
Name of the device. |
keyword |
user_agent.name |
Name of the user agent. |
keyword |
user_agent.original |
Unparsed user_agent string. |
keyword |
user_agent.original.text |
Multi-field of |
match_only_text |
user_agent.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
user_agent.os.full |
Operating system name, including the version or code name. |
keyword |
user_agent.os.full.text |
Multi-field of |
match_only_text |
user_agent.os.kernel |
Operating system kernel version as a raw string. |
keyword |
user_agent.os.name |
Operating system name, without the version. |
keyword |
user_agent.os.name.text |
Multi-field of |
match_only_text |
user_agent.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
user_agent.os.version |
Operating system version as a raw string. |
keyword |
user_agent.version |
Version of the user agent. |
keyword |
zeek.http.captured_password |
Determines if the password will be captured for this request. |
boolean |
zeek.http.client_header_names |
The vector of HTTP header names sent by the client. No header values are included here, just the header names. |
keyword |
zeek.http.host |
The Zeek host if it differs from the domain extracted from the Zeek URI. |
keyword |
zeek.http.info_code |
Last seen 1xx informational reply code returned by the server. |
integer |
zeek.http.info_msg |
Last seen 1xx informational reply message returned by the server. |
keyword |
zeek.http.orig_filenames |
An ordered vector of filenames from the originator. |
keyword |
zeek.http.orig_fuids |
An ordered vector of file unique IDs from the originator. |
keyword |
zeek.http.orig_mime_depth |
Current number of MIME entities in the HTTP request message body. |
integer |
zeek.http.orig_mime_types |
An ordered vector of mime types from the originator. |
keyword |
zeek.http.password |
Password if basic-auth is performed for the request. |
keyword |
zeek.http.proxied |
All of the headers that may indicate if the HTTP request was proxied. |
keyword |
zeek.http.range_request |
Indicates if this request can assume 206 partial content in response. |
boolean |
zeek.http.resp_filenames |
An ordered vector of filenames from the responder. |
keyword |
zeek.http.resp_fuids |
An ordered vector of file unique IDs from the responder. |
keyword |
zeek.http.resp_mime_depth |
Current number of MIME entities in the HTTP response message body. |
integer |
zeek.http.resp_mime_types |
An ordered vector of mime types from the responder. |
keyword |
zeek.http.server_header_names |
The vector of HTTP header names sent by the server. No header values are included here, just the header names. |
keyword |
zeek.http.status_msg |
Status message returned by the server. |
keyword |
zeek.http.tags |
A set of indicators of various attributes discovered and related to a particular request/response pair. |
keyword |
zeek.http.trans_depth |
Represents the pipelined depth into the connection of this request/response transaction. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
intel
editThe intel
dataset collects the Zeek intel.log file, which contains
intelligence data matches.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.original |
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
threat.enrichments |
A list of associated indicators objects enriching the event, and the context of that association/enrichment. |
nested |
threat.indicator.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
threat.indicator.as.organization.name |
Organization name. |
keyword |
threat.indicator.as.organization.name.text |
Multi-field of |
match_only_text |
threat.indicator.email.address |
Identifies a threat indicator as an email address (irrespective of direction). |
keyword |
threat.indicator.file.name |
Name of the file including the extension, without the directory. |
keyword |
threat.indicator.geo.city_name |
City name. |
keyword |
threat.indicator.geo.continent_name |
Name of the continent. |
keyword |
threat.indicator.geo.country_iso_code |
Country ISO code. |
keyword |
threat.indicator.geo.country_name |
Country name. |
keyword |
threat.indicator.geo.location |
Longitude and latitude. |
geo_point |
threat.indicator.geo.region_iso_code |
Region ISO code. |
keyword |
threat.indicator.geo.region_name |
Region name. |
keyword |
threat.indicator.geo.timezone |
The time zone of the location, such as IANA time zone name. |
keyword |
threat.indicator.ip |
Identifies a threat indicator as an IP address (irrespective of direction). |
ip |
threat.indicator.type |
Type of indicator as represented by Cyber Observable in STIX 2.0. |
keyword |
threat.indicator.url.domain |
Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the |
keyword |
threat.indicator.url.extension |
The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). |
keyword |
threat.indicator.url.fragment |
Portion of the url after the |
keyword |
threat.indicator.url.full |
If full URLs are important to your use case, they should be stored in |
wildcard |
threat.indicator.url.full.text |
Multi-field of |
match_only_text |
threat.indicator.url.original |
Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. |
wildcard |
threat.indicator.url.original.text |
Multi-field of |
match_only_text |
threat.indicator.url.password |
Password of the request. |
keyword |
threat.indicator.url.path |
Path of the request, such as "/search". |
wildcard |
threat.indicator.url.port |
Port of the request, such as 443. |
long |
threat.indicator.url.query |
The query field describes the query string of the request, such as "q=elasticsearch". The |
keyword |
threat.indicator.url.registered_domain |
The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". |
keyword |
threat.indicator.url.scheme |
Scheme of the request, such as "https". Note: The |
keyword |
threat.indicator.url.subdomain |
The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "http://www.east.mydomain.co.uk[www.east.mydomain.co.uk]" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. |
keyword |
threat.indicator.url.top_level_domain |
The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". |
keyword |
threat.indicator.url.username |
Username of the request. |
keyword |
zeek.intel.file_desc |
Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. |
keyword |
zeek.intel.file_mime_type |
A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. |
keyword |
zeek.intel.fuid |
If a file was associated with this intelligence hit, this is the uid for the file. |
keyword |
zeek.intel.matched |
Event to represent a match in the intelligence data from data that was seen. |
keyword |
zeek.intel.seen.conn |
If the data was discovered within a connection, the connection record should go here to give context to the data. |
keyword |
zeek.intel.seen.f.* |
If the data was discovered within a file, the file record should go here to provide context to the data. |
object |
zeek.intel.seen.fuid |
If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. |
keyword |
zeek.intel.seen.host |
If the indicator type was Intel::ADDR, then this field will be present. |
keyword |
zeek.intel.seen.indicator |
The intelligence indicator. |
keyword |
zeek.intel.seen.indicator_type |
The type of data the indicator represents. |
keyword |
zeek.intel.seen.node |
The name of the node where the match was discovered. |
keyword |
zeek.intel.seen.uid |
If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. |
keyword |
zeek.intel.seen.where |
Where the data was discovered. |
keyword |
zeek.intel.sources |
Sources which supplied data for this match. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
irc
editThe irc
dataset collects the Zeek irc.log file, which contains IRC
commands and responses.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.mime_type |
MIME type should identify the format of the file or stream of bytes using IANA[https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. |
keyword |
file.name |
Name of the file including the extension, without the directory. |
keyword |
file.size |
File size in bytes. Only relevant when |
long |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.irc.addl |
Any additional data for the command. |
keyword |
zeek.irc.command |
Command given by the client. |
keyword |
zeek.irc.dcc.file.name |
Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested. |
keyword |
zeek.irc.dcc.file.size |
Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender. |
long |
zeek.irc.dcc.mime_type |
present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file. |
keyword |
zeek.irc.fuid |
present if base/protocols/irc/files.bro is loaded. File unique ID. |
keyword |
zeek.irc.nick |
Nickname given for the connection. |
keyword |
zeek.irc.user |
Username given for the connection. |
keyword |
zeek.irc.value |
Value for the command given by the client. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
kerberos
editThe kerberos
dataset collects the Zeek kerberos.log file, which
contains kerberos data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
client.address |
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
server.address |
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
tls.client.x509.subject.common_name |
List of common names (CN) of subject. |
keyword |
tls.client.x509.subject.country |
List of country © code |
keyword |
tls.client.x509.subject.locality |
List of locality names (L) |
keyword |
tls.client.x509.subject.organization |
List of organizations (O) of subject. |
keyword |
tls.client.x509.subject.organizational_unit |
List of organizational units (OU) of subject. |
keyword |
tls.client.x509.subject.state_or_province |
List of state or province names (ST, S, or P) |
keyword |
tls.server.x509.subject.common_name |
List of common names (CN) of subject. |
keyword |
tls.server.x509.subject.country |
List of country © code |
keyword |
tls.server.x509.subject.locality |
List of locality names (L) |
keyword |
tls.server.x509.subject.organization |
List of organizations (O) of subject. |
keyword |
tls.server.x509.subject.organizational_unit |
List of organizational units (OU) of subject. |
keyword |
tls.server.x509.subject.state_or_province |
List of state or province names (ST, S, or P) |
keyword |
user.domain |
Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.kerberos.cert.client.fuid |
File unique ID of client cert. |
keyword |
zeek.kerberos.cert.client.subject |
Subject of client certificate. |
keyword |
zeek.kerberos.cert.client.value |
Client certificate. |
keyword |
zeek.kerberos.cert.server.fuid |
File unique ID of server certificate. |
keyword |
zeek.kerberos.cert.server.subject |
Subject of server certificate. |
keyword |
zeek.kerberos.cert.server.value |
Server certificate. |
keyword |
zeek.kerberos.cipher |
Ticket encryption type. |
keyword |
zeek.kerberos.client |
Client name. |
keyword |
zeek.kerberos.error.code |
Error code. |
integer |
zeek.kerberos.error.msg |
Error message. |
keyword |
zeek.kerberos.forwardable |
Forwardable ticket requested. |
boolean |
zeek.kerberos.renewable |
Renewable ticket requested. |
boolean |
zeek.kerberos.request_type |
Request type - Authentication Service (AS) or Ticket Granting Service (TGS). |
keyword |
zeek.kerberos.service |
Service name. |
keyword |
zeek.kerberos.success |
Request result. |
boolean |
zeek.kerberos.ticket.auth |
Hash of ticket used to authorize request/transaction. |
keyword |
zeek.kerberos.ticket.new |
Hash of ticket returned by the KDC. |
keyword |
zeek.kerberos.valid.days |
Number of days the ticket is valid for. |
integer |
zeek.kerberos.valid.from |
Ticket valid from. |
date |
zeek.kerberos.valid.until |
Ticket valid until. |
date |
zeek.session_id |
A unique identifier of the session |
keyword |
known_certs
editThe known_certs
dataset captures information about SSL/TLS certificates seen on the local network. See the documentation for more details.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.geo.city_name |
City name. |
keyword |
host.geo.continent_name |
Name of the continent. |
keyword |
host.geo.country_iso_code |
Country ISO code. |
keyword |
host.geo.country_name |
Country name. |
keyword |
host.geo.location |
Longitude and latitude. |
geo_point |
host.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
host.geo.region_iso_code |
Region ISO code. |
keyword |
host.geo.region_name |
Region name. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
server.geo.city_name |
City name. |
keyword |
server.geo.continent_name |
Name of the continent. |
keyword |
server.geo.country_iso_code |
Country ISO code. |
keyword |
server.geo.country_name |
Country name. |
keyword |
server.geo.location |
Longitude and latitude. |
geo_point |
server.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
server.geo.region_iso_code |
Region ISO code. |
keyword |
server.geo.region_name |
Region name. |
keyword |
server.ip |
IP address of the server (IPv4 or IPv6). |
ip |
server.port |
Port of the server. |
long |
tags |
List of keywords used to tag each event. |
keyword |
tls.server.issuer |
Subject of the issuer of the x.509 certificate presented by the server. |
keyword |
tls.server.subject |
Subject of the x.509 certificate presented by the server. |
keyword |
tls.server.x509.issuer.common_name |
List of common name (CN) of issuing certificate authority. |
keyword |
tls.server.x509.issuer.distinguished_name |
Distinguished name (DN) of issuing certificate authority. |
keyword |
tls.server.x509.serial_number |
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. |
keyword |
tls.server.x509.subject.common_name |
List of common names (CN) of subject. |
keyword |
tls.server.x509.subject.distinguished_name |
Distinguished name (DN) of the certificate subject entity. |
keyword |
known_hosts
editThe known_hosts
dataset simply records a timestamp and an IP address when Zeek observes a new system on the local network.. See the documentation for more details.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.geo.city_name |
City name. |
keyword |
host.geo.continent_name |
Name of the continent. |
keyword |
host.geo.country_iso_code |
Country ISO code. |
keyword |
host.geo.country_name |
Country name. |
keyword |
host.geo.location |
Longitude and latitude. |
geo_point |
host.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
host.geo.region_iso_code |
Region ISO code. |
keyword |
host.geo.region_name |
Region name. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
tags |
List of keywords used to tag each event. |
keyword |
known_services
editThe known_services
dataset records a timestamp, IP, port number, protocol, and service (if available) when Zeek observes a system offering a new service on the local network. See the documentation for more details.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.geo.city_name |
City name. |
keyword |
host.geo.continent_name |
Name of the continent. |
keyword |
host.geo.country_iso_code |
Country ISO code. |
keyword |
host.geo.country_name |
Country name. |
keyword |
host.geo.location |
Longitude and latitude. |
geo_point |
host.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
host.geo.region_iso_code |
Region ISO code. |
keyword |
host.geo.region_name |
Region name. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.application |
When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name. For example, the original event identifies the network connection being from a specific web service in a |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
server.geo.city_name |
City name. |
keyword |
server.geo.continent_name |
Name of the continent. |
keyword |
server.geo.country_iso_code |
Country ISO code. |
keyword |
server.geo.country_name |
Country name. |
keyword |
server.geo.location |
Longitude and latitude. |
geo_point |
server.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
server.geo.region_iso_code |
Region ISO code. |
keyword |
server.geo.region_name |
Region name. |
keyword |
server.ip |
IP address of the server (IPv4 or IPv6). |
ip |
server.port |
Port of the server. |
long |
tags |
List of keywords used to tag each event. |
keyword |
modbus
editThe modbus
dataset collects the Zeek modbus.log file, which contains
modbus commands and responses.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.modbus.exception |
The exception if the response was a failure. |
keyword |
zeek.modbus.function |
The name of the function message that was sent. |
keyword |
zeek.modbus.track_address |
Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
mysql
editThe mysql
dataset collects the Zeek mysql.log file, which contains
MySQL data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.mysql.arg |
The argument issued to the command. |
keyword |
zeek.mysql.cmd |
The command that was issued. |
keyword |
zeek.mysql.response |
Server message, if any. |
keyword |
zeek.mysql.rows |
The number of affected rows, if any. |
integer |
zeek.mysql.success |
Whether the command succeeded. |
boolean |
zeek.session_id |
A unique identifier of the session |
keyword |
notice
editThe notice
dataset collects the Zeek notice.log file, which contains
Zeek notices.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.mime_type |
MIME type should identify the format of the file or stream of bytes using IANA[https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. |
keyword |
file.size |
File size in bytes. Only relevant when |
long |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
rule.description |
The description of the rule generating the event. |
keyword |
rule.name |
The name of the rule or signature generating the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.notice.actions |
The actions which have been applied to this notice. |
keyword |
zeek.notice.connection_id |
Identifier of the related connection session. |
keyword |
zeek.notice.dropped |
Indicate if the source IP address was dropped and denied network access. |
boolean |
zeek.notice.email_body_sections |
By adding chunks of text into this element, other scripts can expand on notices that are being emailed. |
text |
zeek.notice.email_delay_tokens |
Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration. |
keyword |
zeek.notice.ffile.total_bytes |
Total number of bytes that are supposed to comprise the full file. |
long |
zeek.notice.file.id |
An identifier associated with a single file that is related to this notice. |
keyword |
zeek.notice.file.is_orig |
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder. |
boolean |
zeek.notice.file.mime_type |
A mime type if the notice is related to a file. |
keyword |
zeek.notice.file.missing_bytes |
The number of bytes in the file stream that were completely missed during the process of analysis. |
long |
zeek.notice.file.overflow_bytes |
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled. |
long |
zeek.notice.file.parent_id |
Identifier associated with a container file from which this one was extracted. |
keyword |
zeek.notice.file.seen_bytes |
Number of bytes provided to the file analysis engine for the file. |
long |
zeek.notice.file.source |
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source. |
keyword |
zeek.notice.fuid |
A file unique ID if this notice is related to a file. |
keyword |
zeek.notice.icmp_id |
Identifier of the related ICMP session. |
keyword |
zeek.notice.identifier |
This field is provided when a notice is generated for the purpose of deduplicating notices. |
keyword |
zeek.notice.msg |
The human readable message for the notice. |
keyword |
zeek.notice.n |
Associated count, or a status code. |
long |
zeek.notice.note |
The type of the notice. |
keyword |
zeek.notice.peer_descr |
Textual description for the peer that raised this notice. |
text |
zeek.notice.peer_name |
Name of remote peer that raised this notice. |
keyword |
zeek.notice.sub |
The human readable sub-message. |
keyword |
zeek.notice.suppress_for |
This field indicates the length of time that this unique notice should be suppressed. |
double |
zeek.session_id |
A unique identifier of the session |
keyword |
ntp
editThe ntp
dataset collects the Zeek ntp.log file, which contains
NTP data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.bytes |
Bytes sent from the destination to the source. |
long |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.mac |
MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
destination.packets |
Packets sent from the destination to the source. |
long |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.duration |
Duration of the event in nanoseconds. If |
long |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.bytes |
Total bytes transferred in both directions. If |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.direction |
Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. |
keyword |
network.packets |
Total packets transferred in both directions. If |
long |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.bytes |
Bytes sent from the source to the destination. |
long |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.mac |
MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
source.packets |
Packets sent from the source to the destination. |
long |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.ntp.mode |
The NTP mode being used. |
integer |
zeek.ntp.num_exts |
Number of extension fields (which are not currently parsed). |
integer |
zeek.ntp.org_time |
Time at the client when the request departed for the NTP server. |
date |
zeek.ntp.poll |
The maximum interval between successive messages in seconds. |
double |
zeek.ntp.precision |
The precision of the system clock in seconds. |
double |
zeek.ntp.rec_time |
Time at the server when the request arrived from the NTP client. |
date |
zeek.ntp.ref_id |
For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). |
keyword |
zeek.ntp.ref_time |
Time when the system clock was last set or correct. |
date |
zeek.ntp.root_delay |
Total round-trip delay to the reference clock in seconds. |
double |
zeek.ntp.root_disp |
Total dispersion to the reference clock in seconds. |
double |
zeek.ntp.stratum |
The stratum (primary server, secondary server, etc.). |
integer |
zeek.ntp.version |
The NTP version number (1, 2, 3, 4). |
integer |
zeek.ntp.xmt_time |
Time at the server when the response departed for the NTP client. |
date |
zeek.session_id |
A unique identifier of the session |
keyword |
ntlm
editThe ntlm
dataset collects the Zeek ntlm.log file, which contains NT
LAN Manager(NTLM) data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.path |
Full path to the file, including the file name. It should include the drive letter, when appropriate. |
keyword |
file.path.text |
Multi-field of |
match_only_text |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.domain |
Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.ntlm.domain |
Domain name given by the client. |
keyword |
zeek.ntlm.hostname |
Hostname given by the client. |
keyword |
zeek.ntlm.server.name.dns |
DNS name given by the server in a CHALLENGE. |
keyword |
zeek.ntlm.server.name.netbios |
NetBIOS name given by the server in a CHALLENGE. |
keyword |
zeek.ntlm.server.name.tree |
Tree name given by the server in a CHALLENGE. |
keyword |
zeek.ntlm.success |
Indicate whether or not the authentication was successful. |
boolean |
zeek.ntlm.username |
Username given by the client. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
ocsp
editThe ocsp
dataset collects the Zeek ocsp.log file, which contains
Online Certificate Status Protocol (OCSP) data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
file.path |
Full path to the file, including the file name. It should include the drive letter, when appropriate. |
keyword |
file.path.text |
Multi-field of |
match_only_text |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.hash |
All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). |
keyword |
tags |
List of keywords used to tag each event. |
keyword |
zeek.ocsp.file_id |
File id of the OCSP reply. |
keyword |
zeek.ocsp.hash.algorithm |
Hash algorithm used to generate issuerNameHash and issuerKeyHash. |
keyword |
zeek.ocsp.hash.issuer.key |
Hash of the issuer’s public key. |
keyword |
zeek.ocsp.hash.issuer.name |
Hash of the issuer’s distingueshed name. |
keyword |
zeek.ocsp.revoke.date |
Time at which the certificate was revoked. |
date |
zeek.ocsp.revoke.reason |
Reason for which the certificate was revoked. |
keyword |
zeek.ocsp.serial_number |
Serial number of the affected certificate. |
keyword |
zeek.ocsp.status |
Status of the affected certificate. |
keyword |
zeek.ocsp.update.next |
The latest time at which new information about the status of the certificate will be available. |
date |
zeek.ocsp.update.this |
The time at which the status being shows is known to have been correct. |
date |
zeek.session_id |
A unique identifier of the session |
keyword |
pe
editThe pe
dataset collects the Zeek pe.log file, which contains
portable executable data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.pe.client |
The client’s version string. |
keyword |
zeek.pe.compile_time |
The time that the file was created at. |
date |
zeek.pe.has_cert_table |
Does the file have an attribute certificate table? |
boolean |
zeek.pe.has_debug_data |
Does the file have a debug table? |
boolean |
zeek.pe.has_export_table |
Does the file have an export table? |
boolean |
zeek.pe.has_import_table |
Does the file have an import table? |
boolean |
zeek.pe.id |
File id of this portable executable file. |
keyword |
zeek.pe.is_64bit |
Is the file a 64-bit executable? |
boolean |
zeek.pe.is_exe |
Is the file an executable, or just an object file? |
boolean |
zeek.pe.machine |
The target machine that the file was compiled for. |
keyword |
zeek.pe.os |
The required operating system. |
keyword |
zeek.pe.section_names |
The names of the sections, in order. |
keyword |
zeek.pe.subsystem |
The subsystem that is required to run this file. |
keyword |
zeek.pe.uses_aslr |
Does the file support Address Space Layout Randomization? |
boolean |
zeek.pe.uses_code_integrity |
Does the file enforce code integrity checks? |
boolean |
zeek.pe.uses_dep |
Does the file support Data Execution Prevention? |
boolean |
zeek.pe.uses_seh |
Does the file use structured exception handing? |
boolean |
zeek.session_id |
A unique identifier of the session |
keyword |
radius
editThe radius
dataset collects the Zeek radius.log file, which contains
RADIUS authentication attempts.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.radius.connect_info |
Connect info, if present. |
keyword |
zeek.radius.framed_addr |
The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. |
ip |
zeek.radius.logged |
Whether this has already been logged and can be ignored. |
boolean |
zeek.radius.mac |
MAC address, if present. |
keyword |
zeek.radius.remote_ip |
Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. |
ip |
zeek.radius.reply_msg |
Reply message from the server challenge. This is frequently shown to the user authenticating. |
keyword |
zeek.radius.result |
Successful or failed authentication. |
keyword |
zeek.radius.ttl |
The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. |
integer |
zeek.radius.username |
The username, if present. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
rdp
editThe rdp
dataset collects the Zeek rdp.log file, which contains RDP
data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
tls.established |
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. |
boolean |
zeek.rdp.cert.count |
The number of certs seen. X.509 can transfer an entire certificate chain. |
integer |
zeek.rdp.cert.permanent |
Indicates if the provided certificate or certificate chain is permanent or temporary. |
boolean |
zeek.rdp.cert.type |
If the connection is being encrypted with native RDP encryption, this is the type of cert being used. |
keyword |
zeek.rdp.client.build |
RDP client version used by the client machine. |
keyword |
zeek.rdp.client.client_name |
Name of the client machine. |
keyword |
zeek.rdp.client.product_id |
Product ID of the client machine. |
keyword |
zeek.rdp.cookie |
Cookie value used by the client machine. This is typically a username. |
keyword |
zeek.rdp.desktop.color_depth |
The color depth requested by the client in the high_color_depth field. |
keyword |
zeek.rdp.desktop.height |
Desktop height of the client machine. |
integer |
zeek.rdp.desktop.width |
Desktop width of the client machine. |
integer |
zeek.rdp.done |
Track status of logging RDP connections. |
boolean |
zeek.rdp.encryption.level |
Encryption level of the connection. |
keyword |
zeek.rdp.encryption.method |
Encryption method of the connection. |
keyword |
zeek.rdp.keyboard_layout |
Keyboard layout (language) of the client machine. |
keyword |
zeek.rdp.result |
Status result for the connection. It’s a mix between RDP negotation failure messages and GCC server create response messages. |
keyword |
zeek.rdp.security_protocol |
Security protocol chosen by the server. |
keyword |
zeek.rdp.ssl |
(present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL. |
boolean |
zeek.session_id |
A unique identifier of the session |
keyword |
rfb
editThe rfb
dataset collects the Zeek rfb.log file, which contains
Remote Framebuffer (RFB) data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.rfb.auth.method |
Identifier of authentication method used. |
keyword |
zeek.rfb.auth.success |
Whether or not authentication was successful. |
boolean |
zeek.rfb.desktop_name |
Name of the screen that is being shared. |
keyword |
zeek.rfb.height |
Height of the screen that is being shared. |
integer |
zeek.rfb.share_flag |
Whether the client has an exclusive or a shared session. |
boolean |
zeek.rfb.version.client.major |
Major version of the client. |
keyword |
zeek.rfb.version.client.minor |
Minor version of the client. |
keyword |
zeek.rfb.version.server.major |
Major version of the server. |
keyword |
zeek.rfb.version.server.minor |
Minor version of the server. |
keyword |
zeek.rfb.width |
Width of the screen that is being shared. |
integer |
zeek.session_id |
A unique identifier of the session |
keyword |
signature
editThe signature
dataset collects the Zeek signature.log file, which contains
Zeek signature matches.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.bytes |
Bytes sent from the destination to the source. |
long |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.mac |
MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
destination.packets |
Packets sent from the destination to the source. |
long |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.duration |
Duration of the event in nanoseconds. If |
long |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.bytes |
Total bytes transferred in both directions. If |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.direction |
Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. |
keyword |
network.packets |
Total packets transferred in both directions. If |
long |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
rule.description |
The description of the rule generating the event. |
keyword |
rule.id |
A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.bytes |
Bytes sent from the source to the destination. |
long |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.mac |
MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
source.packets |
Packets sent from the source to the destination. |
long |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.signature.event_msg |
A more descriptive message of the signature-matching event. |
keyword |
zeek.signature.host_count |
Number of hosts, from a summary count. |
integer |
zeek.signature.note |
Notice associated with signature event. |
keyword |
zeek.signature.sig_count |
Number of sigs, usually from summary count. |
integer |
zeek.signature.sig_id |
The name of the signature that matched. |
keyword |
zeek.signature.sub_msg |
Extracted payload data or extra message. |
keyword |
sip
editThe sip
dataset collects the Zeek sip.log file, which contains SIP
data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
url.full |
If full URLs are important to your use case, they should be stored in |
wildcard |
url.full.text |
Multi-field of |
match_only_text |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.sip.call_id |
Contents of the Call-ID: header from the client. |
keyword |
zeek.sip.content_type |
Contents of the Content-Type: header from the server. |
keyword |
zeek.sip.date |
Contents of the Date: header from the client. |
keyword |
zeek.sip.reply_to |
Contents of the Reply-To: header. |
keyword |
zeek.sip.request.body_length |
Contents of the Content-Length: header from the client. |
long |
zeek.sip.request.from |
Contents of the request From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged. |
keyword |
zeek.sip.request.path |
The client message transmission path, as extracted from the headers. |
keyword |
zeek.sip.request.to |
Contents of the To: header. |
keyword |
zeek.sip.response.body_length |
Contents of the Content-Length: header from the server. |
long |
zeek.sip.response.from |
Contents of the response From: header Note: The tag= value that’s usually appended to the sender is stripped off and not logged. |
keyword |
zeek.sip.response.path |
The server message transmission path, as extracted from the headers. |
keyword |
zeek.sip.response.to |
Contents of the response To: header. |
keyword |
zeek.sip.sequence.method |
Verb used in the SIP request (INVITE, REGISTER etc.). |
keyword |
zeek.sip.sequence.number |
Contents of the CSeq: header from the client. |
keyword |
zeek.sip.status.code |
Status code returned by the server. |
integer |
zeek.sip.status.msg |
Status message returned by the server. |
keyword |
zeek.sip.subject |
Contents of the Subject: header from the client. |
keyword |
zeek.sip.transaction_depth |
Represents the pipelined depth into the connection of this request/response transaction. |
integer |
zeek.sip.uri |
URI used in the request. |
keyword |
zeek.sip.user_agent |
Contents of the User-Agent: header from the client. |
keyword |
zeek.sip.warning |
Contents of the Warning: header. |
keyword |
smb_cmd
editThe smb_cmd
dataset collects the Zeek smb_cmd.log file, which
contains SMB commands.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.smb_cmd.argument |
Command argument sent by the client, if any. |
keyword |
zeek.smb_cmd.command |
The command sent by the client. |
keyword |
zeek.smb_cmd.file.action |
Action this log record represents. |
keyword |
zeek.smb_cmd.file.host.rx |
Address of the receiving host. |
ip |
zeek.smb_cmd.file.host.tx |
Address of the transmitting host. |
ip |
zeek.smb_cmd.file.name |
Filename if one was seen. |
keyword |
zeek.smb_cmd.file.uid |
UID of the referenced file. |
keyword |
zeek.smb_cmd.rtt |
Round trip time from the request to the response. |
double |
zeek.smb_cmd.smb1_offered_dialects |
Present if base/protocols/smb/smb1-main.bro is loaded. Dialects offered by the client. |
keyword |
zeek.smb_cmd.smb2_offered_dialects |
Present if base/protocols/smb/smb2-main.bro is loaded. Dialects offered by the client. |
integer |
zeek.smb_cmd.status |
Server reply to the client’s command. |
keyword |
zeek.smb_cmd.sub_command |
The subcommand sent by the client, if present. |
keyword |
zeek.smb_cmd.tree |
If this is related to a tree, this is the tree that was used for the current command. |
keyword |
zeek.smb_cmd.tree_service |
The type of tree (disk share, printer share, named pipe, etc.). |
keyword |
zeek.smb_cmd.username |
Authenticated username, if available. |
keyword |
zeek.smb_cmd.version |
Version of SMB for the command. |
keyword |
smb_files
editThe smb_files
dataset collects the Zeek smb_files.log file, which
contains SMB file data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.action |
The action captured by the event. This describes the information in the event. It is more specific than |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.accessed |
Last time the file was accessed. Note that not all filesystems keep track of access time. |
date |
file.created |
File creation time. Note that not all filesystems store the creation time. |
date |
file.ctime |
Last time the file attributes or metadata changed. Note that changes to the file content will update |
date |
file.mtime |
Last time the file content was modified. |
date |
file.name |
Name of the file including the extension, without the directory. |
keyword |
file.path |
Full path to the file, including the file name. It should include the drive letter, when appropriate. |
keyword |
file.path.text |
Multi-field of |
match_only_text |
file.size |
File size in bytes. Only relevant when |
long |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.smb_files.action |
Action this log record represents. |
keyword |
zeek.smb_files.fid |
ID referencing this file. |
integer |
zeek.smb_files.name |
Filename if one was seen. |
keyword |
zeek.smb_files.path |
Path pulled from the tree this file was transferred to or from. |
keyword |
zeek.smb_files.previous_name |
If the rename action was seen, this will be the file’s previous name. |
keyword |
zeek.smb_files.size |
Byte size of the file. |
long |
zeek.smb_files.times.accessed |
The file’s access time. |
date |
zeek.smb_files.times.changed |
The file’s change time. |
date |
zeek.smb_files.times.created |
The file’s create time. |
date |
zeek.smb_files.times.modified |
The file’s modify time. |
date |
zeek.smb_files.uuid |
UUID referencing this file if DCE/RPC. |
keyword |
smb_mapping
editThe smb_mapping
dataset collects the Zeek smb_mapping.log file,
which contains SMB trees.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
file.path |
Full path to the file, including the file name. It should include the drive letter, when appropriate. |
keyword |
file.path.text |
Multi-field of |
match_only_text |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.smb_mapping.native_file_system |
File system of the tree. |
keyword |
zeek.smb_mapping.path |
Name of the tree path. |
keyword |
zeek.smb_mapping.service |
The type of resource of the tree (disk share, printer share, named pipe, etc.). |
keyword |
zeek.smb_mapping.share_type |
If this is SMB2, a share type will be included. For SMB1, the type of share will be deduced and included as well. |
keyword |
smtp
editThe smtp
dataset collects the Zeek smtp.log file, which contains
SMTP transactions..
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
tls.established |
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. |
boolean |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.smtp.cc |
Contents of the CC header. |
keyword |
zeek.smtp.date |
Contents of the Date header. |
date |
zeek.smtp.first_received |
Contents of the first Received header. |
keyword |
zeek.smtp.from |
Contents of the From header. |
keyword |
zeek.smtp.fuids |
(present if base/protocols/smtp/files.bro is loaded) An ordered vector of file unique IDs seen attached to the message. |
keyword |
zeek.smtp.has_client_activity |
Indicates if client activity has been seen, but not yet logged. |
boolean |
zeek.smtp.helo |
Contents of the Helo header. |
keyword |
zeek.smtp.in_reply_to |
Contents of the In-Reply-To header. |
keyword |
zeek.smtp.is_webmail |
Indicates if the message was sent through a webmail interface. |
boolean |
zeek.smtp.last_reply |
The last message that the server sent to the client. |
keyword |
zeek.smtp.mail_from |
Email addresses found in the MAIL FROM header. |
keyword |
zeek.smtp.msg_id |
Contents of the MsgID header. |
keyword |
zeek.smtp.path |
The message transmission path, as extracted from the headers. |
ip |
zeek.smtp.process_received_from |
Indicates if the "Received: from" headers should still be processed. |
boolean |
zeek.smtp.rcpt_to |
Email addresses found in the RCPT TO header. |
keyword |
zeek.smtp.reply_to |
Contents of the ReplyTo header. |
keyword |
zeek.smtp.second_received |
Contents of the second Received header. |
keyword |
zeek.smtp.subject |
Contents of the Subject header. |
keyword |
zeek.smtp.tls |
Indicates that the connection has switched to using TLS. |
boolean |
zeek.smtp.to |
Contents of the To header. |
keyword |
zeek.smtp.transaction_depth |
A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. |
integer |
zeek.smtp.user_agent |
Value of the User-Agent header from the client. |
keyword |
zeek.smtp.x_originating_ip |
Contents of the X-Originating-IP header. |
keyword |
snmp
editThe snmp
dataset collects the Zeek snmp.log file, which contains
SNMP messages.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.snmp.community |
The community string of the first SNMP packet associated with the session. This is used as part of SNMP’s (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. |
keyword |
zeek.snmp.display_string |
A system description of the SNMP responder endpoint. |
keyword |
zeek.snmp.duration |
The amount of time between the first packet beloning to the SNMP session and the latest one seen. |
double |
zeek.snmp.get.bulk_requests |
The number of variable bindings in GetBulkRequest PDUs seen for the session. |
integer |
zeek.snmp.get.requests |
The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. |
integer |
zeek.snmp.get.responses |
The number of variable bindings in GetResponse/Response PDUs seen for the session. |
integer |
zeek.snmp.set.requests |
The number of variable bindings in SetRequest PDUs seen for the session. |
integer |
zeek.snmp.up_since |
The time at which the SNMP responder endpoint claims it’s been up since. |
date |
zeek.snmp.version |
The version of SNMP being used. |
keyword |
socks
editThe socks
dataset collects the Zeek socks.log file, which contains
SOCKS proxy requests.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
related.user |
All the user names or other user identifiers seen on the event. |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
user.name |
Short name or login of the user. |
keyword |
user.name.text |
Multi-field of |
match_only_text |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.socks.bound.host |
Server bound address. Could be an address, a name or both. |
keyword |
zeek.socks.bound.port |
Server bound port. |
integer |
zeek.socks.capture_password |
Determines if the password will be captured for this request. |
boolean |
zeek.socks.password |
Password used to request a login to the proxy. |
keyword |
zeek.socks.request.host |
Client requested SOCKS address. Could be an address, a name or both. |
keyword |
zeek.socks.request.port |
Client requested port. |
integer |
zeek.socks.status |
Server status for the attempt at using the proxy. |
keyword |
zeek.socks.user |
Username used to request a login to the proxy. |
keyword |
zeek.socks.version |
Protocol version of SOCKS. |
integer |
software
editThe software
dataset collects details on applications operated by the hosts it sees on the local network. See the documentation for more details.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
ecs.version |
ECS version this event conforms to. |
keyword |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.geo.city_name |
City name. |
keyword |
host.geo.continent_name |
Name of the continent. |
keyword |
host.geo.country_iso_code |
Country ISO code. |
keyword |
host.geo.country_name |
Country name. |
keyword |
host.geo.location |
Longitude and latitude. |
geo_point |
host.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
host.geo.region_iso_code |
Region ISO code. |
keyword |
host.geo.region_name |
Region name. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.type |
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
tags |
List of keywords used to tag each event. |
keyword |
zeek.software.name |
Name of the software (e.g. Apache). |
keyword |
zeek.software.type |
The type of software detected |
keyword |
zeek.software.version.additional |
Additional version information |
keyword |
zeek.software.version.full |
Full unparsed version of the software. |
keyword |
zeek.software.version.major |
Major version of software. |
long |
zeek.software.version.minor |
minor version of software. |
long |
zeek.software.version.minor2 |
2nd minor version of software. |
long |
zeek.software.version.minor3 |
3rd minor version of software. |
long |
ssh
editThe ssh
dataset collects the Zeek ssh.log file, which contains SSH
connection data.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.outcome |
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. |
keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.protocol |
In the OSI Model this would be the Application Layer protocol. For example, |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.ssh.algorithm.cipher |
The encryption algorithm in use. |
keyword |
zeek.ssh.algorithm.compression |
The compression algorithm in use. |
keyword |
zeek.ssh.algorithm.host_key |
The server host key’s algorithm. |
keyword |
zeek.ssh.algorithm.key_exchange |
The key exchange algorithm in use. |
keyword |
zeek.ssh.algorithm.mac |
The signing (MAC) algorithm in use. |
keyword |
zeek.ssh.auth.attempts |
The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey). |
integer |
zeek.ssh.auth.success |
Authentication result. |
boolean |
zeek.ssh.client |
The client’s version string. |
keyword |
zeek.ssh.direction |
Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation. |
keyword |
zeek.ssh.host_key |
The server’s key thumbprint. |
keyword |
zeek.ssh.server |
The server’s version string. |
keyword |
zeek.ssh.version |
SSH major version (1 or 2). |
integer |
ssl
editThe ssl
dataset collects the Zeek ssl.log file, which contains
SSL/TLS handshake info.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp |
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. |
date |
client.address |
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
cloud.account.id |
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. |
keyword |
cloud.availability_zone |
Availability zone in which this host, resource, or service is located. |
keyword |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
cloud.instance.id |
Instance ID of the host machine. |
keyword |
cloud.instance.name |
Instance name of the host machine. |
keyword |
cloud.machine.type |
Machine type of the host machine. |
keyword |
cloud.project.id |
The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. |
keyword |
cloud.provider |
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
keyword |
cloud.region |
Region in which this host, resource, or service is located. |
keyword |
container.id |
Unique container id. |
keyword |
container.image.name |
Name of the image the container was built on. |
keyword |
container.labels |
Image labels. |
object |
container.name |
Container name. |
keyword |
data_stream.dataset |
The field can contain anything that makes sense to signify the source of the data. Examples include |
constant_keyword |
data_stream.namespace |
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with |
constant_keyword |
data_stream.type |
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. |
constant_keyword |
destination.address |
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
destination.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
destination.as.organization.name |
Organization name. |
keyword |
destination.as.organization.name.text |
Multi-field of |
match_only_text |
destination.geo.city_name |
City name. |
keyword |
destination.geo.continent_name |
Name of the continent. |
keyword |
destination.geo.country_iso_code |
Country ISO code. |
keyword |
destination.geo.country_name |
Country name. |
keyword |
destination.geo.location |
Longitude and latitude. |
geo_point |
destination.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
destination.geo.region_iso_code |
Region ISO code. |
keyword |
destination.geo.region_name |
Region name. |
keyword |
destination.ip |
IP address of the destination (IPv4 or IPv6). |
ip |
destination.port |
Port of the destination. |
long |
ecs.version |
ECS version this event conforms to. |
keyword |
error.message |
Error message. |
match_only_text |
event.category |
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. |
keyword |
event.created |
|
date |
event.dataset |
Event dataset |
constant_keyword |
event.id |
Unique ID to describe the event. |
keyword |
event.ingested |
Timestamp when an event arrived in the central data store. This is different from |
date |
event.kind |
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. |
keyword |
event.module |
Event module |
constant_keyword |
event.type |
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. |
keyword |
host.architecture |
Operating system architecture. |
keyword |
host.containerized |
If the host is a container. |
boolean |
host.domain |
Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
keyword |
host.hostname |
Hostname of the host. It normally contains what the |
keyword |
host.id |
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of |
keyword |
host.ip |
Host ip addresses. |
ip |
host.mac |
Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. |
keyword |
host.name |
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. |
keyword |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
host.os.family |
OS family (such as redhat, debian, freebsd, windows). |
keyword |
host.os.kernel |
Operating system kernel version as a raw string. |
keyword |
host.os.name |
Operating system name, without the version. |
keyword |
host.os.name.text |
Multi-field of |
match_only_text |
host.os.platform |
Operating system platform (such centos, ubuntu, windows). |
keyword |
host.os.version |
Operating system version as a raw string. |
keyword |
host.type |
Type of host. For Cloud providers this can be the machine type like |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.file.path |
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
network.community_id |
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. |
keyword |
network.transport |
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. |
keyword |
related.hash |
All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search). |
keyword |
related.ip |
All of the IPs seen on your event. |
ip |
server.address |
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.address |
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the |
keyword |
source.as.number |
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. |
long |
source.as.organization.name |
Organization name. |
keyword |
source.as.organization.name.text |
Multi-field of |
match_only_text |
source.geo.city_name |
City name. |
keyword |
source.geo.continent_name |
Name of the continent. |
keyword |
source.geo.country_iso_code |
Country ISO code. |
keyword |
source.geo.country_name |
Country name. |
keyword |
source.geo.location |
Longitude and latitude. |
geo_point |
source.geo.name |
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. |
keyword |
source.geo.region_iso_code |
Region ISO code. |
keyword |
source.geo.region_name |
Region name. |
keyword |
source.ip |
IP address of the source (IPv4 or IPv6). |
ip |
source.port |
Port of the source. |
long |
tags |
List of keywords used to tag each event. |
keyword |
tls.cipher |
String indicating the cipher used during the current connection. |
keyword |
tls.client.issuer |
Distinguished name of subject of the issuer of the x.509 certificate presented by the client. |
keyword |
tls.client.ja3 |
A hash that identifies clients based on how they perform an SSL/TLS handshake. |
keyword |
tls.client.x509.subject.common_name |
List of common names (CN) of subject. |
keyword |
tls.client.x509.subject.country |
List of country © code |
keyword |
tls.client.x509.subject.locality |
List of locality names (L) |
keyword |
tls.client.x509.subject.organization |
List of organizations (O) of subject. |
keyword |
tls.client.x509.subject.organizational_unit |
List of organizational units (OU) of subject. |
keyword |
tls.client.x509.subject.state_or_province |
List of state or province names (ST, S, or P) |
keyword |
tls.curve |
String indicating the curve used for the given cipher, when applicable. |
keyword |
tls.established |
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. |
boolean |
tls.resumed |
Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. |
boolean |
tls.server.hash.sha1 |
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. |
keyword |
tls.server.issuer |
Subject of the issuer of the x.509 certificate presented by the server. |
keyword |
tls.server.ja3s |
A hash that identifies servers based on how they perform an SSL/TLS handshake. |
keyword |
tls.server.not_after |
Timestamp indicating when server certificate is no longer considered valid. |
date |
tls.server.not_before |
Timestamp indicating when server certificate is first considered valid. |
date |
tls.server.subject |
Subject of the x.509 certificate presented by the server. |
keyword |
tls.server.x509.issuer.common_name |
List of common name (CN) of issuing certificate authority. |
keyword |
tls.server.x509.issuer.country |
List of country © codes |
keyword |
tls.server.x509.issuer.distinguished_name |
Distinguished name (DN) of issuing certificate authority. |
keyword |
tls.server.x509.issuer.locality |
List of locality names (L) |
keyword |
tls.server.x509.issuer.organization |
List of organizations (O) of issuing certificate authority. |
keyword |
tls.server.x509.issuer.organizational_unit |
List of organizational units (OU) of issuing certificate authority. |
keyword |
tls.server.x509.issuer.state_or_province |
List of state or province names (ST, S, or P) |
keyword |
tls.server.x509.subject.common_name |
List of common names (CN) of subject. |
keyword |
tls.server.x509.subject.country |
List of country © code |
keyword |
tls.server.x509.subject.locality |
List of locality names (L) |
keyword |
tls.server.x509.subject.organization |
List of organizations (O) of subject. |
keyword |
tls.server.x509.subject.organizational_unit |
List of organizational units (OU) of subject. |
keyword |
tls.server.x509.subject.state_or_province |
List of state or province names (ST, S, or P) |
keyword |
tls.version |
Numeric part of the version parsed from the original string. |
keyword |
tls.version_protocol |
Normalized lowercase protocol name parsed from original string. |
keyword |
zeek.session_id |
A unique identifier of the session |
keyword |
zeek.ssl.cipher |
SSL/TLS cipher suite that was logged. |
keyword |
zeek.ssl.client.cert_chain |
Chain of certificates offered by the client to validate its complete signing chain. |
keyword |
zeek.ssl.client.cert_chain_fuids |
An ordered vector of certificate file identifiers for the certificates offered by the client. |
keyword |
zeek.ssl.client.issuer.common_name |
Common name of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.issuer.country |
Country code of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.issuer.locality |
Locality of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.issuer.organization |
Organization of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.issuer.organizational_unit |
Organizational unit of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.issuer.state |
State or province name of the signer of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.common_name |
Common name of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.country |
Country code of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.locality |
Locality of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.organization |
Organization of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.organizational_unit |
Organizational unit of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.client.subject.state |
State or province name of the X.509 certificate offered by the client. |
keyword |
zeek.ssl.curve |
Elliptic curve that was logged when using ECDH/ECDHE. |
keyword |
zeek.ssl.established |
Flag to indicate if this ssl session has been established successfully. |
boolean |
zeek.ssl.last_alert |
Last alert that was seen during the connection. |
keyword |
zeek.ssl.next_protocol |
Next protocol the server chose using the application layer next protocol extension. |