diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index fa9d9c878..10c0c77d8 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -35,6 +35,7 @@ whiptail_manager_adv_service_zeeklogs() { "smb_mapping" "" ON \ "smtp" "" ON \ "snmp" "" ON \ + "software" "" ON \ "ssh" "" ON \ "ssl" "" ON \ "syslog" "" ON \ @@ -43,10 +44,6 @@ whiptail_manager_adv_service_zeeklogs() { "mysql" "" ON \ "socks" "" ON \ "x509" "" ON \ - "modbus_detailed" "" ON \ - "modbus_mask_write_register" "" ON \ - "modbus_read_write_multiple_registers" "" ON \ - "dnp3_objects" "" ON \ "bacnet" "" ON \ "bacnet_discovery" "" ON \ "bacnet_property" "" ON \ @@ -57,56 +54,72 @@ whiptail_manager_adv_service_zeeklogs() { "bsap_serial_rdb" "" ON \ "bsap_serial_rdb_ext" "" ON \ "bsap_serial_unknown" "" ON \ - "ecat_registers" "" ON \ - "ecat_log_address" "" ON \ - "ecat_dev_info" "" ON \ - "ecat_aoe_info" "" ON \ - "ecat_coe_info" "" ON \ - "ecat_foe_info" "" ON \ - "ecat_soe_info" "" ON \ - "ecat_arp_info" "" ON \ - "enip" "" ON \ "cip" "" ON \ - "cip_io" "" ON \ "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_objects" "" ON \ + "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" ON \ + "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ + "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ + "ecat_soe_info" "" ON \ + "enip" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ "opcua_binary" "" ON \ - "opcua_binary_status_code_detail" "" ON \ - "opcua_binary_diag_info_detail" "" ON \ - "opcua_binary_get_endpoints" "" ON \ - "opcua_binary_get_endpoints_discovery" "" ON \ - "opcua_binary_get_endpoints_user_token" "" ON \ - "opcua_binary_get_endpoints_description" "" ON \ - "opcua_binary_get_endpoints_locale_id" "" ON \ - "opcua_binary_get_endpoints_profile_uri" "" ON \ - "opcua_binary_create_session" "" ON \ - "opcua_binary_create_session_user_token" "" ON \ - "opcua_binary_create_session_endpoints" "" ON \ - "opcua_binary_create_session_discovery" "" ON \ "opcua_binary_activate_session" "" ON \ "opcua_binary_activate_session_client_software_cert" "" ON \ - "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_browse" "" ON \ "opcua_binary_browse_description" "" ON \ - "opcua_binary_browse_request_continuation_point" "" ON \ - "opcua_binary_browse_result" "" ON \ - "opcua_binary_browse_response_references" "" ON \ "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ "opcua_binary_create_subscription" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ "opcua_binary_read" "" ON \ - "cotp" "" ON \ - "s7comm" "" ON \ - "s7comm_read_szl" "" ON \ - "s7comm_upload_download" "" ON \ - "s7comm_plus" "" ON \ - "tds" "" ON \ - "tds_rpc" "" ON \ - "tds_sql_batch" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ + "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ "profinet_dce_rpc" "" ON \ "profinet_debug" "" ON \ + "s7comm" "" ON \ + "s7comm_plus" "" ON \ + "s7comm_read_szl" "" ON \ + "s7comm_upload_download" "" ON \ "stun" "" ON \ "stun_nat" "" ON \ + "tds" "" ON \ + "tds_rpc" "" ON \ + "tds_sql_batch" "" ON \ "wireguard" "" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index 1dbffabc8..4363804b4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -1,30 +1,30 @@ { "description" : "zeek.opcua_binary", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, - { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, - { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, - { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, - { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, - { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, - { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, - { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert index 612144c6e..0abadc290 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_activate_session_client_software_cert", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info index bd1266d39..90cdf2b62 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_diagnostic_info", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id index 83469ef53..08d8a672e 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_locale_id", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index b9a5c1de6..83d388082 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -1,16 +1,16 @@ { "description" : "zeek.opcua_binary_browse", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description index 0065856d4..4f56796e9 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description @@ -1,16 +1,17 @@ { "description" : "zeek.opcua_binary_browse_description", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } }, - { "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } }, - { "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } }, - { "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_encoding_mask", "target_field": "opcua.browse_description_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_numeric", "target_field": "opcua.browse_description_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_direction", "target_field": "opcua.browse_direction", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_encoding_mask", "target_field": "opcua.browse_description_ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_include_subtypes", "target_field": "opcua.browse_description_include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_node_class_mask", "target_field": "opcua.browse_node_class_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_result_mask", "target_field": "opcua.browse_result_mask", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info new file mode 100644 index 000000000..3d58d8030 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point new file mode 100644 index 000000000..ce971109b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_request_continuation_point", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.continuation_point", "target_field": "opcua.continuation_point", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references index 6191020a7..960a0a939 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references @@ -1,22 +1,22 @@ { "description" : "zeek.opcua_binary_browse_response_references", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, - { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result index 8c0bff894..857e7ffb5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_browse_result", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery new file mode 100644 index 000000000..cf9a56135 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_create_session_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_uri", "target_field": "opcua.discovery_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index 719733706..79d8ac067 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_create_session_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token index 45f0b8f43..722ca2fd0 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_create_session_user_token", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription index 4087d7636..832ac75b1 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_create_subscription", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail new file mode 100644 index 000000000..170c35be0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_binary_diag_info_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_diag_level", "target_field": "opcua.inner_diag_level", "ignore_missing": true } }, + { "rename": { "field": "message2.has_symbolic_id", "target_field": "opcua.has_symbolic_id", "ignore_missing": true } }, + { "rename": { "field": "message2.has_namespace_uri", "target_field": "opcua.has_namespace_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale", "target_field": "opcua.has_locale", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale_txt", "target_field": "opcua.has_locale_txt", "ignore_missing": true } }, + { "rename": { "field": "message2.has_addl_info", "target_field": "opcua.has_addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.addl_info", "target_field": "opcua.addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_stat_code", "target_field": "opcua.has_inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_stat_code", "target_field": "opcua.inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_diag_info", "target_field": "opcua.has_inner_diag_info", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints index 2b80c97a8..51f9349fc 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_get_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index 876b050a3..072d6bd31 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_get_endpoints_description", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery new file mode 100644 index 000000000..eeaf91dcb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id new file mode 100644 index 000000000..3716b3bb5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_locale_id", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri new file mode 100644 index 000000000..65309e588 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_profile_uri", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.profile_uri", "target_field": "opcua.profile_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token index 539225b60..524456511 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_get_endpoints_user_token", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel index e6baef81e..59c41206d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel @@ -1,15 +1,15 @@ { "description" : "zeek.opcua_binary_opensecure_channel", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server_proto_ver", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.sec_token_sec_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_id", "target_field": "opcua.sec_token_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_created_at", "target_field": "opcua.sec_token_created_at", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_revised_time", "target_field": "opcua.sec_token_revised_time", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read index 8d951e8d5..9eee12ff7 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims new file mode 100644 index 000000000..a0955f534 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.dimension", "target_field": "opcua.dimension", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link new file mode 100644 index 000000000..94644246f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info new file mode 100644 index 000000000..64376bd08 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object new file mode 100644 index 000000000..8ef46251b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object @@ -0,0 +1,14 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_encoding_mask", "target_field": "opcua.ext_obj_node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_namespace_idx", "target_field": "opcua.ext_obj_node_id_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_numeric", "target_field": "opcua.ext_obj_node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.ext_obj_type_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.ext_obj_encoding", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link new file mode 100644 index 000000000..0aae27ca1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read index c601a5dff..39c0c25b1 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -1,16 +1,15 @@ { "description" : "zeek.opcua_binary_read_nodes_to_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results index e54afc469..49d14d404 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results @@ -1,12 +1,17 @@ { "description" : "zeek.opcua_binary_read_results", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, - { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_encoding_mask", "target_field": "opcua.data_variant_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type", "target_field": "opcua.data_variant_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type_str", "target_field": "opcua.data_variant_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type", "target_field": "opcua.built_in_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type_str", "target_field": "opcua.built_in_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link index 9f5275893..75245d212 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read_results_link", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code new file mode 100644 index 000000000..d3b6ece54 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_status_code", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data new file mode 100644 index 000000000..d77404bc5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.variant_data_value_signed_numeric", "target_field": "opcua.variant_data_value_signed_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link new file mode 100644 index 000000000..8585789ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index a102b9e1a..e1bff04a4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -2,12 +2,12 @@ "description" : "zeek.opcua_binary_status_code_detail", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl new file mode 100644 index 000000000..c044c08a5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm_read_szl", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "s7.method", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id", "target_field": "s7.szl_id", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id_name", "target_field": "s7.szl_id_name", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_index", "target_field": "s7.szl_index", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code", "target_field": "s7.return_code", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code_name", "target_field": "s7.return_code_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index ed1e38dd9..5a6f490d0 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,8 +1,8 @@ [ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, + { "name": "SOC Auth", "description": "SOC (Security Onion Console) authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -11,45 +11,53 @@ { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, - { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, - { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, + { "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, + { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, + { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, + { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, - { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "FTP", "description": "FTP (File Transfer Protocol) network metadata", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "HTTP", "description": "HTTP (Hyper Text Transport Protocol) network metadata", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "IRC", "description": "IRC (Internet Relay Chat) network metadata", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Kerberos", "description": "Kerberos network metadata", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "MySQL", "description": "MySQL network metadata", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, - { "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "PE", "description": "PE (Portable Executable) files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, + { "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, - { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block)", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Software", "description": "Software seen by Zeek via network traffic", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, + { "name": "SSH", "description": "SSH (Secure Shell) connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, + { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} + { "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) network metadata", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) network metadata", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) network metadata", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) network metadata", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) network metadata", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) network metadata", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) network metadata", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Modbus", "description": "Modbus network metadata", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) network metadata", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet (Process Field Network) network metadata", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 (Siemens) network metadata", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index e43fedd4f..3dfda1fc4 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -58,24 +58,44 @@ "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], - "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], - "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], - "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], - "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], - "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], - "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], - "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], - "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], - "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], - "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], - "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], - "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], - "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], + "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], + "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], + "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], + "::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ], + "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], + "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], + "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], + "::ecat_coe_info": ["soc_timestamp", "ecat.message.number", "ecat.message.type", "ecat.request.response.type", "ecat.index", "ecat.sub.index" ], + "::ecat_dev_info": ["soc_timestamp", "ecat.device.type", "ecat.features", "ecat.ram.size", "ecat.revision", "ecat.slave.address" ], + "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], + "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], + "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], + "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], + "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], + "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], + "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info.link_id", "opcua.diag_info.link_id", "log.id.uid" ], + "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale.link_id", "log.id.uid" ], + "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], + "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], + "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], + "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_create_session_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_link_id", "opcua.endpoint_url", "log.id.uid" ], + "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], + "::opcua_binary_create_subscription": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_description_link_id", "opcua.endpoint_uri", "log.id.uid" ], + "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], + "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], + "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], - "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], + "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], + "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], + "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] diff --git a/setup/so-functions b/setup/so-functions index f9f1fb873..67f2c2957 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2972,6 +2972,7 @@ zeek_logs_enabled() { " - smb_mapping"\ " - smtp"\ " - snmp"\ + " - software"\ " - ssh"\ " - ssl"\ " - tunnel"\ @@ -2979,64 +2980,83 @@ zeek_logs_enabled() { " - mysql"\ " - socks"\ " - x509"\ - " - dnp3_objects"\ - " - modbus_detailed"\ - " - modbus_mask_write_single_register"\ - " - modbus_read_write_multiple_registers"\ " - bacnet"\ " - bacnet_discovery"\ " - bacnet_property"\ - " - ecat_registers"\ - " - ecat_log_address"\ - " - ecat_dev_info"\ - " - ecat_aoe_info"\ - " - ecat_coe_info"\ - " - ecat_foe_info"\ - " - ecat_soe_info"\ - " - ecat_arp_info"\ - " - enip"\ - " - cip"\ - " - cip_io"\ + " - bsap_ip_header"\ + " - bsap_ip_rdb"\ + " - bsap_ip_unknown"\ + " - bsap_serial_header"\ + " - bsap_serial_rdb"\ + " - bsap_serial_rdb_ext"\ + " - bsap_serial_unknown"\ + " - cip"\ " - cip_identity"\ - " - opcua_binary"\ - " - opcua_binary_status_code_detail"\ - " - opcua_binary_diag_info_detail"\ - " - opcua_binary_get_endpoints"\ - " - opcua_binary_get_endpoints_discovery"\ - " - opcua_binary_get_endpoints_user_token"\ - " - opcua_binary_get_endpoints_description"\ - " - opcua_binary_get_endpoints_locale_id"\ - " - opcua_binary_get_endpoints_profile_uri"\ - " - opcua_binary_create_session"\ - " - opcua_binary_create_session_user_token"\ - " - opcua_binary_create_session_endpoints"\ - " - opcua_binary_create_session_discovery"\ + " - cip_io"\ + " - cotp"\ + " - dnp3_objects"\ + " - ecat_aoe_info"\ + " - ecat_coe_info"\ + " - ecat_dev_info"\ + " - ecat_foe_info"\ + " - ecat_log_address"\ + " - ecat_registers"\ + " - ecat_soe_info"\ + " - enip"\ + " - modbus_detailed"\ + " - modbus_mask_write_register"\ + " - modbus_read_write_multiple_registers"\ + " - opcua_binary"\ " - opcua_binary_activate_session"\ " - opcua_binary_activate_session_client_software_cert"\ - " - opcua_binary_activate_session_locale_id"\ " - opcua_binary_activate_session_diagnostic_info"\ + " - opcua_binary_activate_session_locale_id"\ " - opcua_binary_browse"\ " - opcua_binary_browse_description"\ - " - opcua_binary_browse_request_continuation_point"\ - " - opcua_binary_browse_result"\ - " - opcua_binary_browse_response_references"\ " - opcua_binary_browse_diagnostic_info"\ + " - opcua_binary_browse_request_continuation_point"\ + " - opcua_binary_browse_response_references"\ + " - opcua_binary_browse_result"\ + " - opcua_binary_create_session"\ + " - opcua_binary_create_session_discovery"\ + " - opcua_binary_create_session_endpoints"\ + " - opcua_binary_create_session_user_token"\ " - opcua_binary_create_subscription"\ - " - opcua_binary_read"\ - " - cotp"\ + " - opcua_binary_diag_info_detail"\ + " - opcua_binary_get_endpoints"\ + " - opcua_binary_get_endpoints_description"\ + " - opcua_binary_get_endpoints_discovery"\ + " - opcua_binary_get_endpoints_locale_id"\ + " - opcua_binary_get_endpoints_profile_uri"\ + " - opcua_binary_get_endpoints_user_token"\ + " - opcua_binary_opensecure_channel"\ + " - opcua_binary_read"\ + " - opcua_binary_read_array_dims"\ + " - opcua_binary_read_array_dims_link"\ + " - opcua_binary_read_diagnostic_info"\ + " - opcua_binary_read_extension_object"\ + " - opcua_binary_read_extension_object_link"\ + " - opcua_binary_read_nodes_to_read"\ + " - opcua_binary_read_results"\ + " - opcua_binary_read_results_link"\ + " - opcua_binary_read_status_code"\ + " - opcua_binary_read_variant_data"\ + " - opcua_binary_read_variant_data_link"\ + " - opcua_binary_status_code_detail"\ + " - profinet"\ + " - profinet_dce_rpc"\ + " - profinet_debug"\ " - s7comm"\ + " - s7comm_plus"\ " - s7comm_read_szl"\ " - s7comm_upload_download"\ - " - s7comm_plus"\ + " - stun"\ + " - stun_nat"\ " - tds"\ " - tds_rpc"\ " - tds_sql_batch"\ - " - profinet_dce_rpc"\ - " - profinet"\ - " - profinet_debug"\ - " - stun"\ - " - stun_nat"\ " - wireguard" >> "$zeeklogs_pillar" + # In the above list, ecat_arp_info was removed because it's not specific to ecat and records all arp traffic. fi # We don't want Zeek syslog for production deployments as this can create duplicate logs. diff --git a/setup/so-whiptail b/setup/so-whiptail index f2fb90882..b87517545 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1305,6 +1305,7 @@ whiptail_manager_adv_service_zeeklogs() { "smb_mapping" "" ON \ "smtp" "" ON \ "snmp" "" ON \ + "software" "" ON \ "ssh" "" ON \ "ssl" "" ON \ "syslog" "" ON \ @@ -1313,11 +1314,7 @@ whiptail_manager_adv_service_zeeklogs() { "mysql" "" ON \ "socks" "" ON \ "x509" "" ON \ - "modbus_detailed" "" ON \ - "modbus_mask_write_register" "" ON \ - "modbus_read_write_multiple_registers" "" ON \ - "dnp3_objects" "" ON \ - "bacnet" "" ON \ + "bacnet" "" ON \ "bacnet_discovery" "" ON \ "bacnet_property" "" ON \ "bsap_ip_header" "" ON \ @@ -1327,56 +1324,72 @@ whiptail_manager_adv_service_zeeklogs() { "bsap_serial_rdb" "" ON \ "bsap_serial_rdb_ext" "" ON \ "bsap_serial_unknown" "" ON \ - "ecat_registers" "" ON \ - "ecat_log_address" "" ON \ - "ecat_dev_info" "" ON \ - "ecat_aoe_info" "" ON \ - "ecat_coe_info" "" ON \ - "ecat_foe_info" "" ON \ - "ecat_soe_info" "" ON \ - "ecat_arp_info" "" ON \ - "enip" "" ON \ - "cip" "" ON \ - "cip_io" "" ON \ + "cip" "" ON \ "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_objects" "" ON \ + "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" ON \ + "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ + "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ + "ecat_soe_info" "" ON \ + "enip" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ "opcua_binary" "" ON \ - "opcua_binary_status_code_detail" "" ON \ - "opcua_binary_diag_info_detail" "" ON \ - "opcua_binary_get_endpoints" "" ON \ - "opcua_binary_get_endpoints_discovery" "" ON \ - "opcua_binary_get_endpoints_user_token" "" ON \ - "opcua_binary_get_endpoints_description" "" ON \ - "opcua_binary_get_endpoints_locale_id" "" ON \ - "opcua_binary_get_endpoints_profile_uri" "" ON \ - "opcua_binary_create_session" "" ON \ - "opcua_binary_create_session_user_token" "" ON \ - "opcua_binary_create_session_endpoints" "" ON \ - "opcua_binary_create_session_discovery" "" ON \ "opcua_binary_activate_session" "" ON \ "opcua_binary_activate_session_client_software_cert" "" ON \ - "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_browse" "" ON \ "opcua_binary_browse_description" "" ON \ - "opcua_binary_browse_request_continuation_point" "" ON \ - "opcua_binary_browse_result" "" ON \ - "opcua_binary_browse_response_references" "" ON \ "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ "opcua_binary_create_subscription" "" ON \ - "opcua_binary_read" "" ON \ - "cotp" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ + "opcua_binary_read" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ + "opcua_binary_status_code_detail" "" ON \ + "profinet" "" ON \ + "profinet_dce_rpc" "" ON \ + "profinet_debug" "" ON \ "s7comm" "" ON \ + "s7comm_plus" "" ON \ "s7comm_read_szl" "" ON \ "s7comm_upload_download" "" ON \ - "s7comm_plus" "" ON \ + "stun" "" ON \ + "stun_nat" "" ON \ "tds" "" ON \ "tds_rpc" "" ON \ "tds_sql_batch" "" ON \ - "profinet" "" ON \ - "profinet_dce_rpc" "" ON \ - "profinet_debug" "" ON \ - "stun" "" ON \ - "stun_nat" "" ON \ "wireguard" "" ON 3>&1 1>&2 2>&3) local exitstatus=$?