From 085420997c682e489e859b067bd4535455004897 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 23 Nov 2022 12:11:04 -0500 Subject: [PATCH 01/57] move status_code before status_code.link_id --- .../files/ingest/zeek.opcua_binary_status_code_detail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index a102b9e1a..1b43fd19d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -3,11 +3,11 @@ "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.severity", "target_field": "opcua.severity", "ignore_missing": true } }, { "rename": { "field": "message2.severity_str", "target_field": "opcua.severity_string", "ignore_missing": true } }, { "rename": { "field": "message2.sub_code", "target_field": "opcua.sub_code", "ignore_missing": true } }, From 3f62cddc3bd3097de243047c3714d3ee7ecfca9c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 23 Nov 2022 12:21:12 -0500 Subject: [PATCH 02/57] change . to _ --- .../files/ingest/zeek.opcua_binary_status_code_detail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index 1b43fd19d..c19c7a6e4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -4,7 +4,7 @@ { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, { "rename": { "field": "message2.source_level", "target_field": "opcua.source_level", "ignore_missing": true } }, From 9f5e75b3020a97f9edc2ef9b648d48dc91dd4251 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 07:27:50 -0500 Subject: [PATCH 03/57] add software to so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index fa9d9c878..0d84040e9 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -35,6 +35,7 @@ whiptail_manager_adv_service_zeeklogs() { "smb_mapping" "" ON \ "smtp" "" ON \ "snmp" "" ON \ + "software" "" ON \ "ssh" "" ON \ "ssl" "" ON \ "syslog" "" ON \ From 9431bf1c2ae7669e309dde79e57c7a8e4c30d329 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 07:28:48 -0500 Subject: [PATCH 04/57] add Zeek software log to so-whiptail --- setup/so-whiptail | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index f2fb90882..c33b36d1a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1305,6 +1305,7 @@ whiptail_manager_adv_service_zeeklogs() { "smb_mapping" "" ON \ "smtp" "" ON \ "snmp" "" ON \ + "software" "" ON \ "ssh" "" ON \ "ssl" "" ON \ "syslog" "" ON \ From 40688a60764a65e6fa50d311257a00e5eeb9bafe Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 07:36:41 -0500 Subject: [PATCH 05/57] add Zeek software to so-functions --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index f9f1fb873..dabd3af6a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2972,6 +2972,7 @@ zeek_logs_enabled() { " - smb_mapping"\ " - smtp"\ " - snmp"\ + " - software"\ " - ssh"\ " - ssl"\ " - tunnel"\ From 0afb20ffa86ff2fffe6b4bd833d8c8bae46cf8c5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:19:11 -0500 Subject: [PATCH 06/57] fix ics entries in so-functions --- setup/so-functions | 69 +++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index dabd3af6a..7d1ccbf33 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2980,13 +2980,21 @@ zeek_logs_enabled() { " - mysql"\ " - socks"\ " - x509"\ - " - dnp3_objects"\ - " - modbus_detailed"\ - " - modbus_mask_write_single_register"\ - " - modbus_read_write_multiple_registers"\ " - bacnet"\ " - bacnet_discovery"\ " - bacnet_property"\ + " - bsap_ip_header"\ + " - bsap_ip_rdb"\ + " - bsap_ip_unknown"\ + " - bsap_serial_header"\ + " - bsap_serial_rdb"\ + " - bsap_serial_rdb_ext"\ + " - bsap_serial_unknown"\ + " - cip"\ + " - cip_io"\ + " - cip_identity"\ + " - cotp"\ + " - dnp3_objects"\ " - ecat_registers"\ " - ecat_log_address"\ " - ecat_dev_info"\ @@ -2996,47 +3004,46 @@ zeek_logs_enabled() { " - ecat_soe_info"\ " - ecat_arp_info"\ " - enip"\ - " - cip"\ - " - cip_io"\ - " - cip_identity"\ - " - opcua_binary"\ - " - opcua_binary_status_code_detail"\ - " - opcua_binary_diag_info_detail"\ - " - opcua_binary_get_endpoints"\ - " - opcua_binary_get_endpoints_discovery"\ - " - opcua_binary_get_endpoints_user_token"\ - " - opcua_binary_get_endpoints_description"\ - " - opcua_binary_get_endpoints_locale_id"\ - " - opcua_binary_get_endpoints_profile_uri"\ - " - opcua_binary_create_session"\ - " - opcua_binary_create_session_user_token"\ - " - opcua_binary_create_session_endpoints"\ - " - opcua_binary_create_session_discovery"\ + " - modbus_detailed"\ + " - modbus_mask_write_single_register"\ + " - modbus_read_write_multiple_registers"\ + " - opcua_binary"\ " - opcua_binary_activate_session"\ " - opcua_binary_activate_session_client_software_cert"\ - " - opcua_binary_activate_session_locale_id"\ " - opcua_binary_activate_session_diagnostic_info"\ + " - opcua_binary_activate_session_locale_id"\ " - opcua_binary_browse"\ " - opcua_binary_browse_description"\ - " - opcua_binary_browse_request_continuation_point"\ - " - opcua_binary_browse_result"\ - " - opcua_binary_browse_response_references"\ " - opcua_binary_browse_diagnostic_info"\ + " - opcua_binary_browse_request_continuation_point"\ + " - opcua_binary_browse_response_references"\ + " - opcua_binary_browse_result"\ + " - opcua_binary_create_session"\ + " - opcua_binary_create_session_discovery"\ + " - opcua_binary_create_session_endpoints"\ + " - opcua_binary_create_session_user_token"\ " - opcua_binary_create_subscription"\ + " - opcua_binary_diag_info_detail"\ + " - opcua_binary_get_endpoints"\ + " - opcua_binary_get_endpoints_description"\ + " - opcua_binary_get_endpoints_discovery"\ + " - opcua_binary_get_endpoints_locale_id"\ + " - opcua_binary_get_endpoints_profile_uri"\ + " - opcua_binary_get_endpoints_user_token"\ " - opcua_binary_read"\ - " - cotp"\ + " - opcua_binary_status_code_detail"\ + " - profinet"\ + " - profinet_dce_rpc"\ + " - profinet_debug"\ " - s7comm"\ + " - s7comm_plus"\ " - s7comm_read_szl"\ " - s7comm_upload_download"\ - " - s7comm_plus"\ + " - stun"\ + " - stun_nat"\ " - tds"\ " - tds_rpc"\ " - tds_sql_batch"\ - " - profinet_dce_rpc"\ - " - profinet"\ - " - profinet_debug"\ - " - stun"\ - " - stun_nat"\ " - wireguard" >> "$zeeklogs_pillar" fi From 6f27c1b21e4c413bda8dda77560b7e7fbcbc1761 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:26:54 -0500 Subject: [PATCH 07/57] fix zeek logs in so-whiptail --- setup/so-whiptail | 78 +++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index c33b36d1a..76430575a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1314,11 +1314,7 @@ whiptail_manager_adv_service_zeeklogs() { "mysql" "" ON \ "socks" "" ON \ "x509" "" ON \ - "modbus_detailed" "" ON \ - "modbus_mask_write_register" "" ON \ - "modbus_read_write_multiple_registers" "" ON \ - "dnp3_objects" "" ON \ - "bacnet" "" ON \ + "bacnet" "" ON \ "bacnet_discovery" "" ON \ "bacnet_property" "" ON \ "bsap_ip_header" "" ON \ @@ -1328,56 +1324,60 @@ whiptail_manager_adv_service_zeeklogs() { "bsap_serial_rdb" "" ON \ "bsap_serial_rdb_ext" "" ON \ "bsap_serial_unknown" "" ON \ - "ecat_registers" "" ON \ - "ecat_log_address" "" ON \ - "ecat_dev_info" "" ON \ - "ecat_aoe_info" "" ON \ - "ecat_coe_info" "" ON \ - "ecat_foe_info" "" ON \ - "ecat_soe_info" "" ON \ - "ecat_arp_info" "" ON \ - "enip" "" ON \ - "cip" "" ON \ - "cip_io" "" ON \ + "cip" "" ON \ "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_objects" "" ON \ + "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" ON \ + "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ + "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ + "ecat_soe_info" "" ON \ + "enip" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ "opcua_binary" "" ON \ - "opcua_binary_status_code_detail" "" ON \ - "opcua_binary_diag_info_detail" "" ON \ - "opcua_binary_get_endpoints" "" ON \ - "opcua_binary_get_endpoints_discovery" "" ON \ - "opcua_binary_get_endpoints_user_token" "" ON \ - "opcua_binary_get_endpoints_description" "" ON \ - "opcua_binary_get_endpoints_locale_id" "" ON \ - "opcua_binary_get_endpoints_profile_uri" "" ON \ - "opcua_binary_create_session" "" ON \ - "opcua_binary_create_session_user_token" "" ON \ - "opcua_binary_create_session_endpoints" "" ON \ - "opcua_binary_create_session_discovery" "" ON \ "opcua_binary_activate_session" "" ON \ "opcua_binary_activate_session_client_software_cert" "" ON \ - "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_browse" "" ON \ "opcua_binary_browse_description" "" ON \ - "opcua_binary_browse_request_continuation_point" "" ON \ - "opcua_binary_browse_result" "" ON \ - "opcua_binary_browse_response_references" "" ON \ "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ "opcua_binary_create_subscription" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_status_code_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ "opcua_binary_read" "" ON \ - "cotp" "" ON \ + "profinet" "" ON \ + "profinet_dce_rpc" "" ON \ + "profinet_debug" "" ON \ "s7comm" "" ON \ + "s7comm_plus" "" ON \ "s7comm_read_szl" "" ON \ "s7comm_upload_download" "" ON \ - "s7comm_plus" "" ON \ + "stun" "" ON \ + "stun_nat" "" ON \ "tds" "" ON \ "tds_rpc" "" ON \ "tds_sql_batch" "" ON \ - "profinet" "" ON \ - "profinet_dce_rpc" "" ON \ - "profinet_debug" "" ON \ - "stun" "" ON \ - "stun_nat" "" ON \ "wireguard" "" ON 3>&1 1>&2 2>&3) local exitstatus=$? From fad6c46e7caf12638da83a701022fac114d7ae32 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:35:00 -0500 Subject: [PATCH 08/57] fix zeek ics logs in so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 70 ++++++++++++++--------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 0d84040e9..6e2f0629a 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -44,10 +44,6 @@ whiptail_manager_adv_service_zeeklogs() { "mysql" "" ON \ "socks" "" ON \ "x509" "" ON \ - "modbus_detailed" "" ON \ - "modbus_mask_write_register" "" ON \ - "modbus_read_write_multiple_registers" "" ON \ - "dnp3_objects" "" ON \ "bacnet" "" ON \ "bacnet_discovery" "" ON \ "bacnet_property" "" ON \ @@ -58,56 +54,60 @@ whiptail_manager_adv_service_zeeklogs() { "bsap_serial_rdb" "" ON \ "bsap_serial_rdb_ext" "" ON \ "bsap_serial_unknown" "" ON \ - "ecat_registers" "" ON \ - "ecat_log_address" "" ON \ - "ecat_dev_info" "" ON \ + "cip" "" ON \ + "cip_identity" "" ON \ + "cip_io" "" ON \ + "cotp" "" ON \ + "dnp3_objects" "" ON \ + "ecat_arp_info" "" ON \ "ecat_aoe_info" "" ON \ "ecat_coe_info" "" ON \ + "ecat_dev_info" "" ON \ "ecat_foe_info" "" ON \ + "ecat_log_address" "" ON \ + "ecat_registers" "" ON \ "ecat_soe_info" "" ON \ - "ecat_arp_info" "" ON \ "enip" "" ON \ - "cip" "" ON \ - "cip_io" "" ON \ - "cip_identity" "" ON \ + "modbus_detailed" "" ON \ + "modbus_mask_write_register" "" ON \ + "modbus_read_write_multiple_registers" "" ON \ "opcua_binary" "" ON \ - "opcua_binary_status_code_detail" "" ON \ - "opcua_binary_diag_info_detail" "" ON \ - "opcua_binary_get_endpoints" "" ON \ - "opcua_binary_get_endpoints_discovery" "" ON \ - "opcua_binary_get_endpoints_user_token" "" ON \ - "opcua_binary_get_endpoints_description" "" ON \ - "opcua_binary_get_endpoints_locale_id" "" ON \ - "opcua_binary_get_endpoints_profile_uri" "" ON \ - "opcua_binary_create_session" "" ON \ - "opcua_binary_create_session_user_token" "" ON \ - "opcua_binary_create_session_endpoints" "" ON \ - "opcua_binary_create_session_discovery" "" ON \ "opcua_binary_activate_session" "" ON \ "opcua_binary_activate_session_client_software_cert" "" ON \ - "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_activate_session_diagnostic_info" "" ON \ + "opcua_binary_activate_session_locale_id" "" ON \ "opcua_binary_browse" "" ON \ "opcua_binary_browse_description" "" ON \ - "opcua_binary_browse_request_continuation_point" "" ON \ - "opcua_binary_browse_result" "" ON \ - "opcua_binary_browse_response_references" "" ON \ "opcua_binary_browse_diagnostic_info" "" ON \ + "opcua_binary_browse_request_continuation_point" "" ON \ + "opcua_binary_browse_response_references" "" ON \ + "opcua_binary_browse_result" "" ON \ + "opcua_binary_create_session" "" ON \ + "opcua_binary_create_session_discovery" "" ON \ + "opcua_binary_create_session_endpoints" "" ON \ + "opcua_binary_create_session_user_token" "" ON \ "opcua_binary_create_subscription" "" ON \ + "opcua_binary_diag_info_detail" "" ON \ + "opcua_binary_get_endpoints" "" ON \ + "opcua_binary_get_endpoints_description" "" ON \ + "opcua_binary_get_endpoints_discovery" "" ON \ + "opcua_binary_get_endpoints_locale_id" "" ON \ + "opcua_binary_get_endpoints_profile_uri" "" ON \ + "opcua_binary_get_endpoints_user_token" "" ON \ "opcua_binary_read" "" ON \ - "cotp" "" ON \ - "s7comm" "" ON \ - "s7comm_read_szl" "" ON \ - "s7comm_upload_download" "" ON \ - "s7comm_plus" "" ON \ - "tds" "" ON \ - "tds_rpc" "" ON \ - "tds_sql_batch" "" ON \ + "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ "profinet_dce_rpc" "" ON \ "profinet_debug" "" ON \ + "s7comm" "" ON \ + "s7comm_read_szl" "" ON \ + "s7comm_plus" "" ON \ + "s7comm_upload_download" "" ON \ "stun" "" ON \ "stun_nat" "" ON \ + "tds" "" ON \ + "tds_rpc" "" ON \ + "tds_sql_batch" "" ON \ "wireguard" "" ON 3>&1 1>&2 2>&3 ) local exitstatus=$? From 2ada4712bc9917b3c73dabaac81d36471f098627 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:37:52 -0500 Subject: [PATCH 09/57] fix zeek ics logs in so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 6e2f0629a..7faa13bab 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -59,8 +59,8 @@ whiptail_manager_adv_service_zeeklogs() { "cip_io" "" ON \ "cotp" "" ON \ "dnp3_objects" "" ON \ - "ecat_arp_info" "" ON \ "ecat_aoe_info" "" ON \ + "ecat_arp_info" "" ON \ "ecat_coe_info" "" ON \ "ecat_dev_info" "" ON \ "ecat_foe_info" "" ON \ From 62fee1f42068d1ba1b4d6523b01a9ce34c298600 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:39:58 -0500 Subject: [PATCH 10/57] fix zeek ics logs in so-whiptail --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 76430575a..91c4f2b04 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1358,7 +1358,6 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_create_session_user_token" "" ON \ "opcua_binary_create_subscription" "" ON \ "opcua_binary_diag_info_detail" "" ON \ - "opcua_binary_status_code_detail" "" ON \ "opcua_binary_get_endpoints" "" ON \ "opcua_binary_get_endpoints_description" "" ON \ "opcua_binary_get_endpoints_discovery" "" ON \ @@ -1366,7 +1365,8 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_get_endpoints_profile_uri" "" ON \ "opcua_binary_get_endpoints_user_token" "" ON \ "opcua_binary_read" "" ON \ - "profinet" "" ON \ + "opcua_binary_status_code_detail" "" ON \ + "profinet" "" ON \ "profinet_dce_rpc" "" ON \ "profinet_debug" "" ON \ "s7comm" "" ON \ From 33a478ff594428abb9e244f325f70b5a47d88e16 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:40:48 -0500 Subject: [PATCH 11/57] fix zeek ics logs in so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 7faa13bab..7f1289c50 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -100,8 +100,8 @@ whiptail_manager_adv_service_zeeklogs() { "profinet_dce_rpc" "" ON \ "profinet_debug" "" ON \ "s7comm" "" ON \ - "s7comm_read_szl" "" ON \ "s7comm_plus" "" ON \ + "s7comm_read_szl" "" ON \ "s7comm_upload_download" "" ON \ "stun" "" ON \ "stun_nat" "" ON \ From fe21b8bc170d52653372b2c8ae4af8990e3be62f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:45:18 -0500 Subject: [PATCH 12/57] fix zeek ics logs in so-functions --- setup/so-functions | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7d1ccbf33..e96005026 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2991,18 +2991,18 @@ zeek_logs_enabled() { " - bsap_serial_rdb_ext"\ " - bsap_serial_unknown"\ " - cip"\ - " - cip_io"\ " - cip_identity"\ + " - cip_io"\ " - cotp"\ " - dnp3_objects"\ - " - ecat_registers"\ - " - ecat_log_address"\ - " - ecat_dev_info"\ - " - ecat_aoe_info"\ - " - ecat_coe_info"\ - " - ecat_foe_info"\ - " - ecat_soe_info"\ + " - ecat_aoe_info"\ " - ecat_arp_info"\ + " - ecat_coe_info"\ + " - ecat_dev_info"\ + " - ecat_foe_info"\ + " - ecat_log_address"\ + " - ecat_registers"\ + " - ecat_soe_info"\ " - enip"\ " - modbus_detailed"\ " - modbus_mask_write_single_register"\ From aa2eab573808edb28d67b501db9d99304be4608b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 09:53:11 -0500 Subject: [PATCH 13/57] fix zeek ics logs in so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index e96005026..20cf7b285 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3005,7 +3005,7 @@ zeek_logs_enabled() { " - ecat_soe_info"\ " - enip"\ " - modbus_detailed"\ - " - modbus_mask_write_single_register"\ + " - modbus_mask_write_register"\ " - modbus_read_write_multiple_registers"\ " - opcua_binary"\ " - opcua_binary_activate_session"\ From 676c5431786f5fafab8a71e2e21b2b855e569e9f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:33:13 -0500 Subject: [PATCH 14/57] add opcua_binary to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index e43fedd4f..0cb6437c8 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -76,6 +76,7 @@ "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], + "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 4ed757916e53797ca48fbada10675d6009fb5738 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:35:17 -0500 Subject: [PATCH 15/57] add opcua_binary_status_code_detail to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 0cb6437c8..1bd3a952a 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -77,6 +77,7 @@ "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], + "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From ca08989404c48d8fdba4b3bd6eaa6605c97727ed Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:37:21 -0500 Subject: [PATCH 16/57] add cip_io to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 1bd3a952a..0c84ea735 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -61,11 +61,12 @@ "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], + "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], + "::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ], "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], - "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], From 78fac49e66a9c9207c02bbe29da681a9a1f342d7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:39:58 -0500 Subject: [PATCH 17/57] add opcua_binary_read to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 0c84ea735..ac5a3ce3e 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -79,6 +79,7 @@ "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], + "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From b2a33d4800d7b6ae8441e3a35c242f4091ba4dc4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:41:48 -0500 Subject: [PATCH 18/57] add opcua_binary_browse_response_references to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index ac5a3ce3e..53c27c66b 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -80,6 +80,7 @@ "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], + "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From be8ce43b74a5439933597ed528e7a375a63a0156 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:44:22 -0500 Subject: [PATCH 19/57] add opcua_binary_browse to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 29 ++++++++++++------------ 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 53c27c66b..d5c957e81 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -58,29 +58,30 @@ "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], - "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], - "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], + "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], + "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], + "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::cip_io": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.connection.id", "cip.io.data", "log.id.uid" ], - "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], - "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], - "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], - "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], + "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], - "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], - "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], - "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], + "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], + "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], + "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], + "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], + "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], + "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], - "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], - "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], - "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], - "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], - "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], + "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], + "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From a119d6a84206197eaef9216fc8bfe8630add1725 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:46:35 -0500 Subject: [PATCH 20/57] add opcua_binary_get_endpoints_user_token to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index d5c957e81..71185899b 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -74,6 +74,7 @@ "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], From 465e6c4605deaf93f0ad9efba4769d02861d2027 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:48:11 -0500 Subject: [PATCH 21/57] add opcua_binary_create_session_user_token to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 71185899b..f185a0463 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -74,6 +74,7 @@ "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], From fab0d17314638c372d858590c827d514a5303fa8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:51:49 -0500 Subject: [PATCH 22/57] add opcua_binary_browse_description to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index f185a0463..52962e017 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -73,6 +73,7 @@ "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], + "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], From cb5483d401e1b967eb3029b340b71368d3e20071 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:53:09 -0500 Subject: [PATCH 23/57] add opcua_binary_create_session to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 52962e017..23dc46f80 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -75,6 +75,7 @@ "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], From c39cd9a290913b79a22e9058ffdddcb7b2f0512a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:55:59 -0500 Subject: [PATCH 24/57] add opcua_binary_browse_result to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 23dc46f80..a69f55b10 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -75,6 +75,7 @@ "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], + "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], From a00eb9071f836d2a870ef17ec97cb174615f4804 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:57:35 -0500 Subject: [PATCH 25/57] add opcua_binary_get_endpoints to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index a69f55b10..8c3fd0ccb 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -78,6 +78,7 @@ "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], From e536568c8a5c74c7a42c98f5bee85788735c8098 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 15:59:17 -0500 Subject: [PATCH 26/57] add opcua_binary_activate_session to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 8c3fd0ccb..730bf51b5 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -72,6 +72,7 @@ "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], + "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], From 83d25a97d3a2ee492f027243776008180790e1c4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 16:01:40 -0500 Subject: [PATCH 27/57] add opcua_binary_get_endpoints_description to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 730bf51b5..a77012c90 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -80,6 +80,7 @@ "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.text", "opcua.product_uri", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], From 0091675ab6d06c766bbdb4cf22f3072844a39cd4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:32:30 -0500 Subject: [PATCH 28/57] fix opcua_binary_get_endpoints_description in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index a77012c90..d362305a8 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -80,7 +80,7 @@ "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], - "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.text", "opcua.product_uri", "log.id.uid" ], + "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_description_link_id", "opcua.endpoint_uri", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], "::opcua_binary_read": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.read_results.link_id", "log.id.uid" ], "::opcua_binary_status_code_detail": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.info_type_string", "opcua.source_string", "log.id.uid" ], From f36da68009572a0a6ca99b333fec01a0b129c665 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:35:02 -0500 Subject: [PATCH 29/57] add opcua_binary_create_subscription to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index d362305a8..ff712442d 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -79,6 +79,7 @@ "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], + "::opcua_binary_create_subscription": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_description_link_id", "opcua.endpoint_uri", "log.id.uid" ], "::opcua_binary_get_endpoints_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "opcua.user_token.type", "log.id.uid" ], From 58aa730437d9b80540344c4cc04f4dff227f7ffe Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:37:10 -0500 Subject: [PATCH 30/57] add opcua_binary_create_session_endpoints to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index ff712442d..1cd74f892 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -78,6 +78,7 @@ "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], "::opcua_binary_browse_result": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.response.link_id", "log.id.uid" ], "::opcua_binary_create_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], + "::opcua_binary_create_session_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_link_id", "opcua.endpoint_url", "log.id.uid" ], "::opcua_binary_create_session_user_token": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.user_token.link_id", "log.id.uid" ], "::opcua_binary_create_subscription": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "log.id.uid" ], "::opcua_binary_get_endpoints": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.endpoint_url", "opcua.link_id", "log.id.uid" ], From d98c57510a04fa3274048d33e826c332e47d8f01 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:39:17 -0500 Subject: [PATCH 31/57] add opcua_binary_activate_session_locale_id to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 1cd74f892..4a08010af 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -73,6 +73,7 @@ "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], + "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale.link_id", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], "::opcua_binary_browse_response_references": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.node_class", "opcua.display_name_text", "log.id.uid" ], From 920b16e494b223c1865f59764c625a88ab6f2899 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:42:59 -0500 Subject: [PATCH 32/57] add ecat_dev_info to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 4a08010af..96865e037 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,6 +67,7 @@ "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], + "::ecat_dev_info": ["soc_timestamp", "ecat.device.type", "ecat.features", "ecat.ram.size", "ecat.revision", "ecat.slave.address" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], From 13c8fb0004b7e0321d1fdf735dae853c16e41de7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:45:28 -0500 Subject: [PATCH 33/57] add ecat_coe_info to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 96865e037..41e98339b 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,6 +67,7 @@ "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], + "::ecat_coe_info": ["soc_timestamp", "ecat.message.number", "ecat.message.type", "ecat.request.response.type", "ecat.index", "ecat.sub.index" ], "::ecat_dev_info": ["soc_timestamp", "ecat.device.type", "ecat.features", "ecat.ram.size", "ecat.revision", "ecat.slave.address" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], From 00078fd9e5969279cd17521f44c7b80f362fcc20 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:47:41 -0500 Subject: [PATCH 34/57] add opcua_binary_activate_session_diagnostic_info to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 41e98339b..aa7c7fd1a 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -75,6 +75,7 @@ "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], + "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info.link_id", "opcua.diag_info.link_id", "log.id.uid" ], "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale.link_id", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], "::opcua_binary_browse_description": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], From 692ec05b2d96c5d755b1fd1d989d7b6f8720de87 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 25 Nov 2022 17:51:25 -0500 Subject: [PATCH 35/57] fix opcua_binary_activate_session in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index aa7c7fd1a..3dfda1fc4 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -74,7 +74,7 @@ "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::opcua_binary": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.message_type", "log.id.uid" ], - "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], + "::opcua_binary_activate_session": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.identifier_string", "opcua.user_name", "log.id.uid" ], "::opcua_binary_activate_session_diagnostic_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.activate_session_diag_info.link_id", "opcua.diag_info.link_id", "log.id.uid" ], "::opcua_binary_activate_session_locale_id": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.local_id", "opcua.locale.link_id", "log.id.uid" ], "::opcua_binary_browse": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "opcua.link_id", "opcua.service_type", "log.id.uid" ], From 62c1bb2c0cd718b31f666868916baf59dec9bb49 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 25 Nov 2022 18:01:53 -0500 Subject: [PATCH 36/57] disable ecat_arp_info since it records all arp traffic --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 20cf7b285..375e30a73 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2996,7 +2996,6 @@ zeek_logs_enabled() { " - cotp"\ " - dnp3_objects"\ " - ecat_aoe_info"\ - " - ecat_arp_info"\ " - ecat_coe_info"\ " - ecat_dev_info"\ " - ecat_foe_info"\ @@ -3045,6 +3044,7 @@ zeek_logs_enabled() { " - tds_rpc"\ " - tds_sql_batch"\ " - wireguard" >> "$zeeklogs_pillar" + # In the above list, ecat_arp_info was removed because it's not specific to ecat and records all arp traffic. fi # We don't want Zeek syslog for production deployments as this can create duplicate logs. From 73adc571de99d8ec9d9795fcabde2ce5b2692523 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 26 Nov 2022 10:36:49 -0500 Subject: [PATCH 37/57] add more zeek ics parsers --- ...nary_activate_session_client_software_cert | 10 +++--- ...ua_binary_activate_session_diagnostic_info | 8 ++--- ...ek.opcua_binary_activate_session_locale_id | 8 ++--- .../files/ingest/zeek.opcua_binary_browse | 20 ++++++------ .../zeek.opcua_binary_browse_diagnostic_info | 10 ++++++ ...a_binary_browse_request_continuation_point | 10 ++++++ ...ek.opcua_binary_browse_response_references | 32 +++++++++---------- .../ingest/zeek.opcua_binary_browse_result | 10 +++--- ...zeek.opcua_binary_create_session_discovery | 11 +++++++ ...zeek.opcua_binary_create_session_endpoints | 30 ++++++++--------- ...eek.opcua_binary_create_session_user_token | 10 +++--- .../zeek.opcua_binary_create_subscription | 2 +- .../ingest/zeek.opcua_binary_diag_info_detail | 21 ++++++++++++ .../ingest/zeek.opcua_binary_get_endpoints | 8 ++--- ...eek.opcua_binary_get_endpoints_description | 30 ++++++++--------- .../zeek.opcua_binary_get_endpoints_discovery | 10 ++++++ .../zeek.opcua_binary_get_endpoints_locale_id | 10 ++++++ ...eek.opcua_binary_get_endpoints_profile_uri | 10 ++++++ ...zeek.opcua_binary_get_endpoints_user_token | 2 +- .../zeek.opcua_binary_opensecure_channel | 18 +++++------ .../files/ingest/zeek.opcua_binary_read | 8 ++--- .../zeek.opcua_binary_read_nodes_to_read | 19 ++++++----- .../ingest/zeek.opcua_binary_read_results | 17 ++++++---- .../zeek.opcua_binary_read_results_link | 8 ++--- .../zeek.opcua_binary_status_code_detail | 2 +- .../files/ingest/zeek.s7comm_read_szl | 15 +++++++++ 26 files changed, 220 insertions(+), 119 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri create mode 100644 salt/elasticsearch/files/ingest/zeek.s7comm_read_szl diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert index 612144c6e..0abadc290 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_activate_session_client_software_cert", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.client_software_cert_link_id", "target_field": "opcua.client_software_cert.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_data", "target_field": "opcua.certificate.data", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_signature", "target_field": "opcua.certificate.signature", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info index bd1266d39..90cdf2b62 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_diagnostic_info", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.activate_session_diag_info_link_id", "target_field": "opcua.activate_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id index 83469ef53..08d8a672e 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_activate_session_locale_id", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse index b9a5c1de6..83d388082 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse @@ -1,16 +1,16 @@ { "description" : "zeek.opcua_binary_browse", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_service_type", "target_field": "opcua.service_type", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_id_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_timestamp", "target_field": "opcua.view.description_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_view_description_view_version", "target_field": "opcua.description.view_version", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.description.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_max_ref_nodes", "target_field": "opcua.request.max_ref_nodes", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info new file mode 100644 index 000000000..3d58d8030 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_diag_info_link_id", "target_field": "opcua.browse_session_diag_info.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info.link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point new file mode 100644 index 000000000..ce971109b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_browse_request_continuation_point", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_next_link_id", "target_field": "opcua.browse_next_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.continuation_point", "target_field": "opcua.continuation_point", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references index 6191020a7..960a0a939 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references @@ -1,22 +1,22 @@ { "description" : "zeek.opcua_binary_browse_response_references", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, - { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_reference_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_encoding_mask", "target_field": "opcua.reference_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_numeric", "target_field": "opcua.reference_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_is_forward", "target_field": "opcua.is_forward", "ignore_missing": true } }, + { "rename": { "field": "message2.response_ref_type_encoding_mask", "target_field": "opcua.reference_type_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_type_numeric", "target_field": "opcua.reference_type_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_ref_name", "target_field": "opcua.reference_name", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_mask", "target_field": "opcua.display_name_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_locale", "target_field": "opcua.display_name_local", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_display_name_text", "target_field": "opcua.display_name_text", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_node_class", "target_field": "opcua.node_class", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_encoding_mask", "target_field": "opcua.type_def_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_response_type_def_numeric", "target_field": "opcua.type_def_numeric", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result index 8c0bff894..857e7ffb5 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_browse_result", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_response_link_id", "target_field": "opcua.response.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_reference.link_id", "target_field": "opcua.reference.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code.link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery new file mode 100644 index 000000000..cf9a56135 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery @@ -0,0 +1,11 @@ +{ + "description" : "zeek.opcua_binary_create_session_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_uri", "target_field": "opcua.discovery_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints index 719733706..79d8ac067 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_create_session_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_link_id", "target_field": "opcua.endpoint_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token index 45f0b8f43..722ca2fd0 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token @@ -1,11 +1,11 @@ { "description" : "zeek.opcua_binary_create_session_user_token", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.policy_id", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription index 4087d7636..832ac75b1 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_create_subscription", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.requested_publishing_interval", "target_field": "opcua.publish_interval", "ignore_missing": true } }, { "rename": { "field": "message2.requested_lifetime_count", "target_field": "opcua.lifetime_count", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail new file mode 100644 index 000000000..170c35be0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail @@ -0,0 +1,21 @@ +{ + "description" : "zeek.opcua_binary_diag_info_detail", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, + { "rename": { "field": "message2.source_str", "target_field": "opcua.source_string", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_diag_level", "target_field": "opcua.inner_diag_level", "ignore_missing": true } }, + { "rename": { "field": "message2.has_symbolic_id", "target_field": "opcua.has_symbolic_id", "ignore_missing": true } }, + { "rename": { "field": "message2.has_namespace_uri", "target_field": "opcua.has_namespace_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale", "target_field": "opcua.has_locale", "ignore_missing": true } }, + { "rename": { "field": "message2.has_locale_txt", "target_field": "opcua.has_locale_txt", "ignore_missing": true } }, + { "rename": { "field": "message2.has_addl_info", "target_field": "opcua.has_addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.addl_info", "target_field": "opcua.addl_info", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_stat_code", "target_field": "opcua.has_inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.inner_stat_code", "target_field": "opcua.inner_stat_code", "ignore_missing": true } }, + { "rename": { "field": "message2.has_inner_diag_info", "target_field": "opcua.has_inner_diag_info", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints index 2b80c97a8..51f9349fc 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_get_endpoints", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_url", "target_field": "opcua.endpoint_url", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description index 876b050a3..072d6bd31 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description @@ -1,21 +1,21 @@ { "description" : "zeek.opcua_binary_get_endpoints_description", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, - { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, - { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, - { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, - { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.transport_profile_uri", "target_field": "transport_profile_uri", "ignore_missing": true } }, - { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.endpoint_description_link_id", "target_field": "opcua.endpoint_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.application_uri", "target_field": "opcua.application_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint_uri", "target_field": "opcua.endpoint_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.product_uri", "target_field": "opcua.product_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.locale", "target_field": "opcua.locale", "ignore_missing": true } }, + { "rename": { "field": "message2.text", "target_field": "opcua.text", "ignore_missing": true } }, + { "rename": { "field": "message2.application_type", "target_field": "opcua.application_type", "ignore_missing": true } }, + { "rename": { "field": "message2.message_security_mode", "target_field": "opcua.message_security_mode", "ignore_missing": true } }, + { "rename": { "field": "message2.security_policy_uri", "target_field": "opcua.security_policy_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.transport_profile_uri", "target_field": "opcua.transport_profile_uri", "ignore_missing": true } }, + { "rename": { "field": "message2.security_level", "target_field": "opcua.security_level", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery new file mode 100644 index 000000000..eeaf91dcb --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_discovery", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.discovery_profile_link_id", "target_field": "opcua.discovery_profile_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.discovery_profile_url", "target_field": "opcua.discovery_profile_url", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id new file mode 100644 index 000000000..3716b3bb5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_locale_id", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_locale_link_id", "target_field": "opcua.locale_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.local_id", "target_field": "opcua.local_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri new file mode 100644 index 000000000..65309e588 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_get_endpoints_profile_uri", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.profile_uri_link_id", "target_field": "opcua.profile_uri_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.profile_uri", "target_field": "opcua.profile_uri", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token index 539225b60..524456511 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_get_endpoints_user_token", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.user_token_link_id", "target_field": "opcua.user_token.link_id", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_type", "target_field": "opcua.user_token.type", "ignore_missing": true } }, { "rename": { "field": "message2.user_token_sec_policy_uri", "target_field": "opcua.user_token.security_policy_uri", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel index e6baef81e..59c41206d 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel @@ -1,15 +1,15 @@ { "description" : "zeek.opcua_binary_opensecure_channel", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.protocol.version", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.security_token.security_channel_id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.id", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.created", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.security_token.revised", "ignore_missing": true } }, - { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server.nonce", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.server_proto_ver", "target_field": "opcua.server_proto_ver", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_sec_channel_id", "target_field": "opcua.sec_token_sec_channel_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_id", "target_field": "opcua.sec_token_id", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_created_at", "target_field": "opcua.sec_token_created_at", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_token_revised_time", "target_field": "opcua.sec_token_revised_time", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nonce", "target_field": "opcua.server_nonce", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read index 8d951e8d5..9eee12ff7 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read index c601a5dff..cbc829a04 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -1,16 +1,15 @@ { "description" : "zeek.opcua_binary_read_nodes_to_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_namespace_idx", "target_field": "opcua.node_id.namespace_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_string", "target_field": "opcua.node_id.string", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_str", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.encoding_name_idx", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.encoding_name", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results index e54afc469..49d14d404 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results @@ -1,12 +1,17 @@ { "description" : "zeek.opcua_binary_read_results", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, - { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.level", "target_field": "opcua.level", "ignore_missing": true } }, + { "rename": { "field": "message2.data_value_encoding_mask", "target_field": "opcua.data_value_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_encoding_mask", "target_field": "opcua.data_variant_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type", "target_field": "opcua.data_variant_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.data_variant_data_type_str", "target_field": "opcua.data_variant_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type", "target_field": "opcua.built_in_data_type", "ignore_missing": true } }, + { "rename": { "field": "message2.built_in_data_type_str", "target_field": "opcua.built_in_data_type_string", "ignore_missing": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link index 9f5275893..1dca46473 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read_results_link", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results.link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail index c19c7a6e4..e1bff04a4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail @@ -2,7 +2,7 @@ "description" : "zeek.opcua_binary_status_code_detail", "processors" : [ { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.status_code", "target_field": "opcua.status_code", "ignore_missing": true } }, { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, { "rename": { "field": "message2.source", "target_field": "opcua.source", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl new file mode 100644 index 000000000..c044c08a5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.s7comm_read_szl @@ -0,0 +1,15 @@ +{ + "description" : "zeek.s7comm_read_szl", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.pdu_reference", "target_field": "s7.pdu_reference", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "s7.method", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id", "target_field": "s7.szl_id", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_id_name", "target_field": "s7.szl_id_name", "ignore_missing": true } }, + { "rename": { "field": "message2.szl_index", "target_field": "s7.szl_index", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code", "target_field": "s7.return_code", "ignore_missing": true } }, + { "rename": { "field": "message2.return_code_name", "target_field": "s7.return_code_name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From ec0cf71c3f8c2f1120c6caa1d32addd095ab6ee8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 17:00:32 -0500 Subject: [PATCH 38/57] add opcua_binary_opensecure_channel to so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 7f1289c50..30d25ce15 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -94,6 +94,7 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_get_endpoints_locale_id" "" ON \ "opcua_binary_get_endpoints_profile_uri" "" ON \ "opcua_binary_get_endpoints_user_token" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ "opcua_binary_read" "" ON \ "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ From e44c94c56b6213de863ff2b7efc36872ac3d862f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 17:01:11 -0500 Subject: [PATCH 39/57] add opcua_binary_opensecure_channel to so-whiptail --- setup/so-whiptail | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 91c4f2b04..bd53b3e78 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1364,7 +1364,8 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_get_endpoints_locale_id" "" ON \ "opcua_binary_get_endpoints_profile_uri" "" ON \ "opcua_binary_get_endpoints_user_token" "" ON \ - "opcua_binary_read" "" ON \ + "opcua_binary_opensecure_channel" "" ON \ + "opcua_binary_read" "" ON \ "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ "profinet_dce_rpc" "" ON \ From c1287a61aff8e7f8518509d9a08e2b363bc2b219 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 17:02:04 -0500 Subject: [PATCH 40/57] add opcua_binary_opensecure_channel to so-functions --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 375e30a73..fdd824c1f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3030,6 +3030,7 @@ zeek_logs_enabled() { " - opcua_binary_get_endpoints_profile_uri"\ " - opcua_binary_get_endpoints_user_token"\ " - opcua_binary_read"\ + " - opcua_binary_opensecure_channel"\ " - opcua_binary_status_code_detail"\ " - profinet"\ " - profinet_dce_rpc"\ From 9ea59355d5ef1104c999b5a3bad02ea0f69c0964 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 17:03:57 -0500 Subject: [PATCH 41/57] fix opcua_binary_opensecure_channel in so-functions --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fdd824c1f..b70af08e4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3029,8 +3029,8 @@ zeek_logs_enabled() { " - opcua_binary_get_endpoints_locale_id"\ " - opcua_binary_get_endpoints_profile_uri"\ " - opcua_binary_get_endpoints_user_token"\ - " - opcua_binary_read"\ - " - opcua_binary_opensecure_channel"\ + " - opcua_binary_opensecure_channel"\ + " - opcua_binary_read"\ " - opcua_binary_status_code_detail"\ " - profinet"\ " - profinet_dce_rpc"\ From 6d814d39094e315adc858d1f421df269ed1de210 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 26 Nov 2022 17:43:58 -0500 Subject: [PATCH 42/57] add more zeek opcua parsers --- .../ingest/zeek.opcua_binary_read_array_dims | 10 ++++++++++ .../zeek.opcua_binary_read_array_dims_link | 10 ++++++++++ .../zeek.opcua_binary_read_diagnostic_info | 10 ++++++++++ .../zeek.opcua_binary_read_extension_object | 14 ++++++++++++++ ...eek.opcua_binary_read_extension_object_link | 10 ++++++++++ .../zeek.opcua_binary_read_nodes_to_read | 18 +++++++++--------- .../ingest/zeek.opcua_binary_read_results_link | 8 ++++---- .../ingest/zeek.opcua_binary_read_status_code | 10 ++++++++++ .../ingest/zeek.opcua_binary_read_variant_data | 10 ++++++++++ .../zeek.opcua_binary_read_variant_data_link | 10 ++++++++++ 10 files changed, 97 insertions(+), 13 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data create mode 100644 salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims new file mode 100644 index 000000000..a0955f534 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.dimension", "target_field": "opcua.dimension", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link new file mode 100644 index 000000000..94644246f --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_array_dims_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_array_dim_link_id", "target_field": "opcua.variant_data_array_dim_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.array_dim_link_id", "target_field": "opcua.array_dim_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info new file mode 100644 index 000000000..64376bd08 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_diagnostic_info", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_diag_info_link_id", "target_field": "opcua.read_diag_info_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.diag_info_link_id", "target_field": "opcua.diag_info_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object new file mode 100644 index 000000000..8ef46251b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object @@ -0,0 +1,14 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_encoding_mask", "target_field": "opcua.ext_obj_node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_namespace_idx", "target_field": "opcua.ext_obj_node_id_namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_node_id_numeric", "target_field": "opcua.ext_obj_node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_type_id_str", "target_field": "opcua.ext_obj_type_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_encoding", "target_field": "opcua.ext_obj_encoding", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link new file mode 100644 index 000000000..0aae27ca1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_extension_object_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.variant_data_ext_obj_link_id", "target_field": "opcua.variant_data_ext_obj_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.ext_obj_link_id", "target_field": "opcua.ext_obj_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read index cbc829a04..39c0c25b1 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read @@ -1,15 +1,15 @@ { "description" : "zeek.opcua_binary_read_nodes_to_read", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, - { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, - { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nodes_to_read_link_id", "target_field": "opcua.nodes_to_read_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_encoding_mask", "target_field": "opcua.node_id_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.node_id_numeric", "target_field": "opcua.node_id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id", "target_field": "opcua.attribute_id", "ignore_missing": true } }, + { "rename": { "field": "message2.attribute_id_str", "target_field": "opcua.attribute_id_string", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name_idx", "target_field": "opcua.data_encoding_name_index", "ignore_missing": true } }, + { "rename": { "field": "message2.data_encoding_name", "target_field": "opcua.data_encoding_name", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link index 1dca46473..75245d212 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link @@ -1,10 +1,10 @@ { "description" : "zeek.opcua_binary_read_results_link", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_link_id", "target_field": "opcua.read_results_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.results_link_id", "target_field": "opcua.results_link_id", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code new file mode 100644 index 000000000..d3b6ece54 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_status_code", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_status_code_link_id", "target_field": "opcua.read_status_code_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code_link_id", "target_field": "opcua.status_code_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data new file mode 100644 index 000000000..d77404bc5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.variant_data_value_signed_numeric", "target_field": "opcua.variant_data_value_signed_numeric", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link new file mode 100644 index 000000000..8585789ff --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link @@ -0,0 +1,10 @@ +{ + "description" : "zeek.opcua_binary_read_variant_data_link", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.read_results_variant_data_link_id", "target_field": "opcua.read_results_variant_data_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.read_variant_data_link_id", "target_field": "opcua.read_variant_data_link_id", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} From 1f0c984b987d26a6eb75f0915b4f65e09790b37c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 18:41:12 -0500 Subject: [PATCH 43/57] add new zeek opcua logs to so-functions --- setup/so-functions | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index b70af08e4..67f2c2957 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -3031,6 +3031,17 @@ zeek_logs_enabled() { " - opcua_binary_get_endpoints_user_token"\ " - opcua_binary_opensecure_channel"\ " - opcua_binary_read"\ + " - opcua_binary_read_array_dims"\ + " - opcua_binary_read_array_dims_link"\ + " - opcua_binary_read_diagnostic_info"\ + " - opcua_binary_read_extension_object"\ + " - opcua_binary_read_extension_object_link"\ + " - opcua_binary_read_nodes_to_read"\ + " - opcua_binary_read_results"\ + " - opcua_binary_read_results_link"\ + " - opcua_binary_read_status_code"\ + " - opcua_binary_read_variant_data"\ + " - opcua_binary_read_variant_data_link"\ " - opcua_binary_status_code_detail"\ " - profinet"\ " - profinet_dce_rpc"\ From 45892400cbc7a5ede690ab252ffb5cf0981a74b1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 18:42:51 -0500 Subject: [PATCH 44/57] add new zeek opcua logs to so-whiptail --- setup/so-whiptail | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index bd53b3e78..b87517545 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1366,6 +1366,17 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_get_endpoints_user_token" "" ON \ "opcua_binary_opensecure_channel" "" ON \ "opcua_binary_read" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ "profinet_dce_rpc" "" ON \ From b06e9e8477be058680273937c685f2468a9c655d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 26 Nov 2022 18:44:28 -0500 Subject: [PATCH 45/57] add new zeek opcua logs to so-zeek-logs --- salt/common/tools/sbin/so-zeek-logs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/tools/sbin/so-zeek-logs b/salt/common/tools/sbin/so-zeek-logs index 30d25ce15..10c0c77d8 100755 --- a/salt/common/tools/sbin/so-zeek-logs +++ b/salt/common/tools/sbin/so-zeek-logs @@ -96,6 +96,17 @@ whiptail_manager_adv_service_zeeklogs() { "opcua_binary_get_endpoints_user_token" "" ON \ "opcua_binary_opensecure_channel" "" ON \ "opcua_binary_read" "" ON \ + "opcua_binary_read_array_dims" "" ON \ + "opcua_binary_read_array_dims_link" "" ON \ + "opcua_binary_read_diagnostic_info" "" ON \ + "opcua_binary_read_extension_object" "" ON \ + "opcua_binary_read_extension_object_link" "" ON \ + "opcua_binary_read_nodes_to_read" "" ON \ + "opcua_binary_read_results" "" ON \ + "opcua_binary_read_results_link" "" ON \ + "opcua_binary_read_status_code" "" ON \ + "opcua_binary_read_variant_data" "" ON \ + "opcua_binary_read_variant_data_link" "" ON \ "opcua_binary_status_code_detail" "" ON \ "profinet" "" ON \ "profinet_dce_rpc" "" ON \ From cb06269b1a13e0cbc58b06f4013a3d2057bfc5c6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 09:40:42 -0500 Subject: [PATCH 46/57] update DNP3 and MODBUS dashboards --- salt/soc/files/soc/dashboards.queries.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index ed1e38dd9..d024123a4 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -16,7 +16,8 @@ { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, @@ -25,9 +26,9 @@ { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, From 11a7f051a6346f3dbfeea601a50cd97dc3715f47 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 09:57:54 -0500 Subject: [PATCH 47/57] organize dashboards --- salt/soc/files/soc/dashboards.queries.json | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index d024123a4..2e7465ddb 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -16,8 +16,6 @@ { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, @@ -26,8 +24,8 @@ { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "MySQL", "description": "MySQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, @@ -44,13 +42,20 @@ { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, + { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} + { "name": "ICS - BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From cfbbc3a1a3a8b41c1d86cd5d1a9fbff9efdfc357 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 10:02:33 -0500 Subject: [PATCH 48/57] add S7 dashboard --- salt/soc/files/soc/dashboards.queries.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 2e7465ddb..d6673d12f 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -57,5 +57,6 @@ { "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From a4f5e7b2a6079cc2edc1e2dd5d45e4d706d14c13 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 10:05:15 -0500 Subject: [PATCH 49/57] add ECAT dashboard --- salt/soc/files/soc/dashboards.queries.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index d6673d12f..ef7022985 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -49,12 +49,13 @@ { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS - Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, { "name": "ICS - BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, From ce7b16a23046db18fe6d708adab0a60c2ac59afb Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 10:06:58 -0500 Subject: [PATCH 50/57] more ICS dashboards --- salt/soc/files/soc/dashboards.queries.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index ef7022985..5542d0645 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -24,7 +24,6 @@ { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "MySQL", "description": "MySQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -56,6 +55,8 @@ { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, From 63915b0486cb6cb1cde012c36c54d06925e02e81 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 11:58:48 -0500 Subject: [PATCH 51/57] consolidate DNP3 dashboards --- salt/soc/files/soc/dashboards.queries.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 5542d0645..dc6ce5141 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -52,8 +52,7 @@ { "name": "ICS - BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS - Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, From 6a2f886fccc0c06ab1533135e9e81d1d32c0554b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 12:01:35 -0500 Subject: [PATCH 52/57] improve ecat dashboard --- salt/soc/files/soc/dashboards.queries.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index dc6ce5141..de7139875 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -48,16 +48,16 @@ { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "ICS - Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "ICS - BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS - S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From 268253ce14b6d7eff880770ae52a3327cb093e04 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 12:05:35 -0500 Subject: [PATCH 53/57] update ENIP dashboard --- salt/soc/files/soc/dashboards.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index de7139875..65ed446d3 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -54,7 +54,7 @@ { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, - { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, From a796fa2ff77b7dc0bd2187d4cd9707aab50ddbeb Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 12:09:57 -0500 Subject: [PATCH 54/57] make sure that ICS dashboards with sankey also have separate event.dataset table --- salt/soc/files/soc/dashboards.queries.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 65ed446d3..6daa8680c 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -49,15 +49,15 @@ { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, { "name": "ICS Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From dd4c34397d538ebf155724cce69467d487565e3d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 13:03:54 -0500 Subject: [PATCH 55/57] improve dashboard descriptions --- salt/soc/files/soc/dashboards.queries.json | 84 +++++++++++----------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 6daa8680c..d613bded3 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,8 +1,8 @@ [ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, + { "name": "SOC Auth", "description": "Security Onion Console authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -11,53 +11,53 @@ { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"}, { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"}, { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"}, - { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, - { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, + { "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, + { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, + { "name": "DCE_RPC", "description": "DCE_RPC network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, + { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, - { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "FTP", "description": "FTP (File Transfer Protocol) network metadata", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "HTTP", "description": "HTTP (Hyper Text Transport Protocol) network metadata", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MySQL", "description": "MySQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "IRC", "description": "IRC (Internet Relay Chat) network metadata", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Kerberos", "description": "Kerberos network metadata", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "MySQL", "description": "MySQL network metadata", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, - { "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "PE", "description": "PE files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, + { "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, - { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block) network metadata", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Software", "description": "Software seen by Zeek via network traffic", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, + { "name": "SSH", "description": "SSH (Secure Shell) connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "Tabular Data Stream (SQL) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, - { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "ICS Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, - { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) traffic", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) traffic", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) traffic", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) traffic", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) traffic", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) traffic", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) traffic", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Modbus", "description": "Modbus traffic", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) traffic", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet (Process Field Network) traffic", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 (Siemens) traffic", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From 2763b5846c8667b362de9c2a766a4b5e85b94a39 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 28 Nov 2022 13:10:23 -0500 Subject: [PATCH 56/57] improve dashboard descriptions --- salt/soc/files/soc/dashboards.queries.json | 32 +++++++++++----------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index d613bded3..5a6f490d0 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -1,6 +1,6 @@ [ { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Security Onion Console authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, + { "name": "SOC Auth", "description": "SOC (Security Onion Console) authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, { "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -14,7 +14,7 @@ { "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, { "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, { "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, @@ -28,13 +28,13 @@ { "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, + { "name": "PE", "description": "PE (Portable Executable) files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, { "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, { "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block) network metadata", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block)", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, @@ -43,21 +43,21 @@ { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "TDS", "description": "Tabular Data Stream (SQL) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) traffic", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, - { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) traffic", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) traffic", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) traffic", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) traffic", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) traffic", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, - { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) traffic", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS Modbus", "description": "Modbus traffic", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) traffic", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS Profinet", "description": "Profinet (Process Field Network) traffic", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS S7", "description": "S7 (Siemens) traffic", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) network metadata", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, + { "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) network metadata", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) network metadata", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS CIP", "description": "CIP (Common Industrial Protocol) network metadata", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS DNP3", "description": "DNP3 (Distributed Network Protocol) network metadata", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS ECAT", "description": "ECAT (Ethernet for Control Automation Technology) network metadata", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, + { "name": "ICS ENIP", "description": "ENIP (Ethernet Industrial Protocol) network metadata", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Modbus", "description": "Modbus network metadata", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) network metadata", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS Profinet", "description": "Profinet (Process Field Network) network metadata", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS S7", "description": "S7 (Siemens) network metadata", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From 8462e66873ae12d49cd095884b5c1fb2be3f5158 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 28 Nov 2022 13:50:24 -0500 Subject: [PATCH 57/57] fix opcua_binary_browse_description --- .../files/ingest/zeek.opcua_binary | 48 +++++++++---------- .../zeek.opcua_binary_browse_description | 21 ++++---- 2 files changed, 35 insertions(+), 34 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary index 1dbffabc8..4363804b4 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary @@ -1,30 +1,30 @@ { "description" : "zeek.opcua_binary", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true} }, - { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, - { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, - { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, - { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, - { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, - { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, - { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, - { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, - { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, - { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, - { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, - { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.msg_type", "target_field": "opcua.message_type", "ignore_missing": true } }, + { "rename": { "field": "message2.is_final", "target_field": "opcua.final", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_size", "target_field": "opcua.message_size", "ignore_missing": true } }, + { "rename": { "field": "message2.snd_buf_size", "target_field": "opcua.sender.buffer_size", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.sec_channel_id", "target_field": "opcua.secure_channel.id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq_number", "target_field": "opcua.sequence_number", "ignore_missing": true } }, + { "rename": { "field": "message2.opcua_link_id", "target_field": "opcua.link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.request_id", "target_field": "opcua.request_id", "ignore_missing": true } }, + { "rename": { "field": "message2.namespace_idx", "target_field": "opcua.namespace_index", "ignore_missing": true } }, + { "rename": { "field": "message2.encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier", "target_field": "opcua.identifier", "ignore_missing": true } }, + { "rename": { "field": "message2.identifier_str", "target_field": "opcua.identifier_string", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_type", "target_field": "opcua.request.header.node.id_type", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_node_id_numeric", "target_field": "opcua.request.header.node.id_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timestamp", "target_field": "opcua.request.header.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_request_handle", "target_field": "opcua.request.handle", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_return_diag", "target_field": "opcua.request.header.return_diag", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_audit_entry_id", "target_field": "opcua.request.header.audit_entry_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_timeout_hint", "target_field": "opcua.request.header.timeout_hint", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_type_id", "target_field": "opcua.request.header.type_id", "ignore_missing": true } }, + { "rename": { "field": "message2.req_hdr_add_hdr_enc_mask", "target_field": "opcua.request.header.enc_mask", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description index 0065856d4..4f56796e9 100644 --- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description +++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description @@ -1,16 +1,17 @@ { "description" : "zeek.opcua_binary_browse_description", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "browse_description_encoding_mask", "target_field": "opcua.encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_description_numeric", "target_field": "opcua.identifier_numeric", "ignore_missing": true } }, - { "rename": { "field": "browse_direction", "target_field": "opcua.direction", "ignore_missing": true } }, - { "rename": { "field": "browse_description_ref_encoding_mask", "target_field": "opcua.description.ref_encoding_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_description_ref_numeric", "target_field": "opcua.description.ref_numeric", "ignore_missing": true } }, - { "rename": { "field": "browse_description_include_subtypes", "target_field": "opcua.description.include_subtypes", "ignore_missing": true } }, - { "rename": { "field": "browse_node_class_mask", "target_field": "opcua.node.class_mask", "ignore_missing": true } }, - { "rename": { "field": "browse_result_mask", "target_field": "opcua.result.mask", "ignore_missing": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.browse_description_link_id", "target_field": "opcua.browse_description_link_id", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_encoding_mask", "target_field": "opcua.browse_description_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_numeric", "target_field": "opcua.browse_description_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_direction", "target_field": "opcua.browse_direction", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_encoding_mask", "target_field": "opcua.browse_description_ref_encoding_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_ref_numeric", "target_field": "opcua.browse_description.ref_numeric", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_description_include_subtypes", "target_field": "opcua.browse_description_include_subtypes", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_node_class_mask", "target_field": "opcua.browse_node_class_mask", "ignore_missing": true } }, + { "rename": { "field": "message2.browse_result_mask", "target_field": "opcua.browse_result_mask", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] }