From 5d72f8d55a67cb30016ffa0e950e2cf0dbb011dc Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 30 Nov 2022 15:01:41 +0000 Subject: [PATCH] Additional field renames and updates --- .../files/ingest/zeek.bsap_serial_rdb_ext | 2 +- salt/elasticsearch/files/ingest/zeek.cip | 2 +- salt/elasticsearch/files/ingest/zeek.cip_io | 2 +- salt/elasticsearch/files/ingest/zeek.ecat_foe_info | 4 ++-- salt/elasticsearch/files/ingest/zeek.opcua_binary | 2 +- .../files/ingest/zeek.opcua_binary_browse | 4 ++-- .../ingest/zeek.opcua_binary_browse_description | 2 +- .../files/ingest/zeek.opcua_binary_create_session | 12 ++++++------ .../zeek.opcua_binary_create_session_user_token | 4 ++-- .../zeek.opcua_binary_get_endpoints_user_token | 4 ++-- salt/soc/files/soc/hunt.eventfields.json | 12 ++++++------ 11 files changed, 25 insertions(+), 25 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext index a1a08e6b7..c23509b80 100644 --- a/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext +++ b/salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext @@ -7,7 +7,7 @@ { "rename": { "field": "message2.seq", "target_field": "bsap.message.sequence", "ignore_missing": true } }, { "rename": { "field": "message2.nsb", "target_field": "bsap.node.status.byte", "ignore_missing": true } }, { "rename": { "field": "message2.extfun", "target_field": "bsap.extension.function", "ignore_missing": true } }, - { "rename": { "field": "message2.data", "target_field": "bsap.extension.function.data", "ignore_missing": true } }, + { "rename": { "field": "message2.data", "target_field": "bsap.extension.function_data", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.cip b/salt/elasticsearch/files/ingest/zeek.cip index a9c47e43e..5182a7037 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip +++ b/salt/elasticsearch/files/ingest/zeek.cip @@ -3,7 +3,7 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, { "rename": { "field": "message2.cip_sequence_count", "target_field": "cip.sequence_count", "ignore_missing": true } }, { "rename": { "field": "message2.direction", "target_field": "cip.direction", "ignore_missing": true } }, { "rename": { "field": "message2.cip_service_code", "target_field": "cip.service_code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.cip_io b/salt/elasticsearch/files/ingest/zeek.cip_io index 6c61fbb78..68c376b05 100644 --- a/salt/elasticsearch/files/ingest/zeek.cip_io +++ b/salt/elasticsearch/files/ingest/zeek.cip_io @@ -5,7 +5,7 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.is_orig", "target_field": "cip.is_orig", "ignore_missing": true } }, { "rename": { "field": "message2.connection_id", "target_field": "cip.connection.id", "ignore_missing": true } }, - { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence.count", "ignore_missing": true } }, + { "rename": { "field": "message2.sequence_number", "target_field": "cip.sequence_number", "ignore_missing": true } }, { "rename": { "field": "message2.data_length", "target_field": "cip.data.length", "ignore_missing": true } }, { "rename": { "field": "message2.io_data", "target_field": "cip.io.data", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } diff --git a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info index 11df775a9..75285ea18 100644 --- a/salt/elasticsearch/files/ingest/zeek.ecat_foe_info +++ b/salt/elasticsearch/files/ingest/zeek.ecat_foe_info @@ -6,9 +6,9 @@ { "rename": { "field": "message2.opcode", "target_field": "ecat.operation.code", "ignore_missing": true } }, { "rename": { "field": "message2.reserved", "target_field": "ecat.reserved", "ignore_missing": true } }, { "rename": { "field": "message2.packet_num", "target_field": "ecat.packet.number", "ignore_missing": true } }, - { "rename": { "field": "message2.error_code", "target_field": "ecat.error.code", "ignore_missing": true } }, + { "rename": { "field": "message2.error_code", "target_field": "ecat.error_code", "ignore_missing": true } }, { "rename": { "field": "message2.filename", "target_field": "ecat.filename", "ignore_missing": true } }, { "rename": { "field": "message2.data", "target_field": "ecat.data", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index 5ce836ca6..37a9cdf1a 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -8,7 +8,7 @@ { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel_id", "ignore_missing": true } }, { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index fa2f24335..8c4d919cd 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -9,8 +9,8 @@ { "convert": { "field": "opcua.encoding_mask", "type": "string", "ignore_missing": true } }, { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view_description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description_view_version", "ignore_missing": true } }, { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description_link_id", "ignore_missing": true } }, { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description index 4f56796e9..f1439f192 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description @@ -8,7 +8,7 @@ { "rename": { "field": "message2.browse_description_numeric", "target_field": "opcua.browse_description_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.browse_direction", "target_field": "opcua.browse_direction", "ignore_missing": true } }, { "rename": { "field": "message2.browse_description_ref_encoding_mask", "target_field": "opcua.browse_description_ref_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description_ref_numeric", "ignore_missing": true } }, { "rename": { "field": "message2.browse_description_include_subtypes", "target_field": "opcua.browse_description_include_subtypes", "ignore_missing": true } }, { "rename": { "field": "message2.browse_node_class_mask", "target_field": "opcua.browse_node_class_mask", "ignore_missing": true } }, { "rename": { "field": "message2.browse_result_mask", "target_field": "opcua.browse_result_mask", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session index 26c9c4f74..d7e0d3d87 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session @@ -4,12 +4,12 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id.guid", "ignore_missing": true } }, - { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token.guid", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_encoding_mask", "target_field": "opcua.session_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_namespace_idx", "target_field": "opcua.session_id_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.session_id_guid", "target_field": "opcua.session_id_guid", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_encoding_mask", "target_field": "opcua.auth_token_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_namespace_idx", "target_field": "opcua.auth_token_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_token_guid", "target_field": "opcua.auth_token_guid", "ignore_missing": true } }, { "rename": { "field": "message2.revised_session_timeout", "target_field": "opcua.revised_session_timeout", "ignore_missing": true } }, { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token index e699aad0a..b86ec066d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -4,8 +4,8 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_type", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token index 88fabe801..33a3687cc 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -4,8 +4,8 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token_type", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token_security_policy_uri", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index c7abb6e75..9c0c9b114 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -80,20 +80,20 @@ "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], - "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info.link_id", "opcua.diag_info.link_id", "log.id.uid" ], - "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale.link_id", "log.id.uid" ], + "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info_link_id", "opcua.diag_info_link_id", "log.id.uid" ], + "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale_link_id", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], - "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], + "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response_link_id", "log.id.uid" ], "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_link_id", "opcua.endpoint_url", "log.id.uid" ], - "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], + "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token_link_id", "log.id.uid" ], "::opcua_binary_create_subscription": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_description_link_id", "opcua.endpoint_uri", "log.id.uid" ], - "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], - "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token_link_id", "opcua.user_token_type", "log.id.uid" ], + "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results_link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ],