zeek ldap & ldap_search parsing

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2025-12-24 09:53:12 +01:00 · 2025-01-09 16:06:10 -06:00
parent 0e87351a9c
commit e60a1e4357
4 changed files with 149 additions and 0 deletions
--- a/salt/elasticsearch/templates/component/ecs/zeek.json
+++ b/salt/elasticsearch/templates/component/ecs/zeek.json
@@ -834,6 +834,81 @@
                }
              }
            },
+            "ldap": {
+              "type": "object",
+              "properties": {
+                "message_id": {
+                  "type": "short"
+                },
+                "opcode": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "result": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "diagnostic_message": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "version": {
+                  "type": "short"
+                },
+                "object": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "argument": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "user_email": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "property": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "common_name": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "organizational_unit": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "domain": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
+            "ldap_search": {
+              "type": "object",
+              "properties": {
+                "scope": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "deref_aliases": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "result_count": {
+                  "type": "long"
+                },
+                "filter": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                },
+                "attributes": {
+                  "ignore_above": 1024,
+                  "type": "keyword"
+                }
+              }
+            },
            "modbus": {
              "properties": {
                "exception": {
@@ -1176,24 +1251,30 @@
              "type": "object",
              "properties": {
                "server_name": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "type": "short"
                },
                "client_initial_dcid": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "client_scid": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "server_scid": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "client_protocol": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "history": {
+                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }