Elastic Integrations

Zeek

Zeek Integration

Last updated on September 7th, 2021.

What's an integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration. Please refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

Overview

This is an integration for Zeek, which used to be called Bro. It parses logs that are in the Zeek JSON format.

Compatibility

This module has been developed against Zeek 2.6.1, but is expected to work with other versions of Zeek.

Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X. Find out how to use Zeek here.

Logs

capture_loss

The capture_loss dataset collects the Zeek capture_loss.log file, which contains packet loss rate data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
tags
List of keywords used to tag each event.
keyword
zeek.capture_loss.acks
Total number of ACKs seen in the previous measurement interval.
integer
zeek.capture_loss.gaps
Number of missed ACKs from the previous measurement interval.
integer
zeek.capture_loss.peer
In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name.
keyword
zeek.capture_loss.percent_lost
Percentage of ACKs seen where the data being ACKed wasn't seen.
double
zeek.capture_loss.ts_delta
The time delay between this measurement and the last.
integer
zeek.session_id
A unique identifier of the session
keyword

connection

The connection dataset collects the Zeek conn.log file, which contains TCP/UDP/ICMP connection data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.bytes
Bytes sent from the destination to the source.
long
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.mac
MAC address of the destination.
keyword
destination.packets
Packets sent from the destination to the source.
long
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.duration
Duration of the event in nanoseconds.
long
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.bytes
Total bytes transferred in both directions.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.direction
Direction of the network traffic.
keyword
network.packets
Total packets transferred in both directions.
long
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.bytes
Bytes sent from the source to the destination.
long
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.mac
MAC address of the source.
keyword
source.packets
Packets sent from the source to the destination.
long
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.connection.history
Flags indicating the history of the session.
keyword
zeek.connection.icmp.code
ICMP message code.
integer
zeek.connection.icmp.type
ICMP message type.
integer
zeek.connection.inner_vlan
VLAN identifier.
integer
zeek.connection.local_orig
Indicates whether the session is originated locally.
boolean
zeek.connection.local_resp
Indicates whether the session is responded locally.
boolean
zeek.connection.missed_bytes
Missed bytes for the session.
long
zeek.connection.state
Code indicating the state of the session.
keyword
zeek.connection.state_message
The state of the session.
keyword
zeek.connection.vlan
VLAN identifier.
integer
zeek.session_id
A unique identifier of the session
keyword

dce_rpc

The dce_rpc dataset collects the Zeek dce_rpc.log file, which contains Distributed Computing Environment/RPC data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.bytes
Bytes sent from the destination to the source.
long
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.bytes
Bytes sent from the source to the destination.
long
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.dce_rpc.endpoint
Endpoint name looked up from the uuid.
keyword
zeek.dce_rpc.named_pipe
Remote pipe name.
keyword
zeek.dce_rpc.operation
Operation seen in the call.
keyword
zeek.dce_rpc.rtt
Round trip time from the request to the response. If either the request or response wasn't seen, this will be null.
integer
zeek.session_id
A unique identifier of the session
keyword

dhcp

The dhcp dataset collects the Zeek dhcp.log file, which contains DHCP lease data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
client.address
Client network address.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.name
Name given by operators to sections of their network.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
server.address
Server network address.
keyword
source.address
Source network address.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.dhcp.address.assigned
IP address assigned by the server.
ip
zeek.dhcp.address.client
IP address of the client. If a transaction is only a client sending INFORM messages then there is no lease information exchanged so this is helpful to know who sent the messages. Getting an address in this field does require that the client sources at least one DHCP message using a non-broadcast address.
ip
zeek.dhcp.address.mac
Client's hardware address.
keyword
zeek.dhcp.address.requested
IP address requested by the client.
ip
zeek.dhcp.address.server
IP address of the DHCP server.
ip
zeek.dhcp.client_fqdn
FQDN given by client in Client FQDN option 81.
keyword
zeek.dhcp.domain
Domain given by the server in option 15.
keyword
zeek.dhcp.duration
Duration of the DHCP session representing the time from the first message to the last, in seconds.
double
zeek.dhcp.hostname
Name given by client in Hostname option 12.
keyword
zeek.dhcp.id.circuit
(present if policy/protocols/dhcp/sub-opts.bro is loaded) Added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. Typically it should represent a router or switch interface number.
keyword
zeek.dhcp.id.remote_agent
(present if policy/protocols/dhcp/sub-opts.bro is loaded) A globally unique identifier added by relay agents to identify the remote host end of the circuit.
keyword
zeek.dhcp.id.subscriber
(present if policy/protocols/dhcp/sub-opts.bro is loaded) The subscriber ID is a value independent of the physical network configuration so that a customer's DHCP configuration can be given to them correctly no matter where they are physically connected.
keyword
zeek.dhcp.lease_time
IP address lease interval in seconds.
integer
zeek.dhcp.msg.client
Message typically accompanied with a DHCP_DECLINE so the client can tell the server why it rejected an address.
keyword
zeek.dhcp.msg.origin
(present if policy/protocols/dhcp/msg-orig.bro is loaded) The address that originated each message from the msg.types field.
ip
zeek.dhcp.msg.server
Message typically accompanied with a DHCP_NAK to let the client know why it rejected the request.
keyword
zeek.dhcp.msg.types
List of DHCP message types seen in this exchange.
keyword
zeek.dhcp.software.client
(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
keyword
zeek.dhcp.software.server
(present if policy/protocols/dhcp/software.bro is loaded) Software reported by the client in the vendor_class option.
keyword
zeek.session_id
A unique identifier of the session
keyword

dnp3

The dnp3 dataset collects the Zeek dnp3.log file which contains DNP3 requests and replies.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.bytes
Bytes sent from the destination to the source.
long
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.bytes
Bytes sent from the source to the destination.
long
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.dnp3.function.reply
The name of the function message in the reply.
keyword
zeek.dnp3.function.request
The name of the function message in the request.
keyword
zeek.dnp3.id
The response's internal indication number.
integer
zeek.session_id
A unique identifier of the session
keyword

dns

The dns dataset collects the Zeek dns.log file which contains DNS activity.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
dns.answers
Array of DNS answers.
object
dns.answers.class
The class of DNS data contained in this resource record.
keyword
dns.answers.data
The data describing the resource.
keyword
dns.answers.name
The domain name to which this resource record pertains.
keyword
dns.answers.ttl
The time interval in seconds that this resource record may be cached before it should be discarded.
long
dns.answers.type
The type of data contained in this resource record.
keyword
dns.header_flags
Array of DNS header flags.
keyword
dns.id
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
keyword
dns.question.class
The class of records being queried.
keyword
dns.question.domain
The domain being queried.
keyword
dns.question.name
The name being queried.
keyword
dns.question.registered_domain
The highest registered domain, stripped of the subdomain.
keyword
dns.question.subdomain
The subdomain of the domain.
keyword
dns.question.top_level_domain
The effective top level domain (com, org, net, co.uk).
keyword
dns.question.type
The type of record being queried.
keyword
dns.resolved_ip
Array containing all IPs seen in answers.data
ip
dns.response_code
The DNS response code.
keyword
dns.type
The type of DNS event captured, query or answer.
keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.duration
Duration of the event in nanoseconds.
long
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.original
Raw text message of entire event.
keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name. ex. http, lumberjack, transport protocol.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.dns.AA
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section.
boolean
zeek.dns.RA
The Recursion Available bit in a response message indicates that the name server supports recursive queries.
boolean
zeek.dns.RD
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query.
boolean
zeek.dns.TC
The Truncation bit specifies that the message was truncated.
boolean
zeek.dns.TTLs
The caching intervals of the associated RRs described by the answers field.
double
zeek.dns.answers
The set of resource descriptions in the query answer.
keyword
zeek.dns.qclass
The QCLASS value specifying the class of the query.
long
zeek.dns.qclass_name
A descriptive name for the class of the query.
keyword
zeek.dns.qtype
A QTYPE value specifying the type of the query.
long
zeek.dns.qtype_name
A descriptive name for the type of the query.
keyword
zeek.dns.query
The domain name that is the subject of the DNS query.
keyword
zeek.dns.rcode
The response code value in DNS response messages.
long
zeek.dns.rcode_name
A descriptive name for the response code value.
keyword
zeek.dns.rejected
Indicates whether the DNS query was rejected by the server.
boolean
zeek.dns.rtt
Round trip time for the query and response.
double
zeek.dns.saw_query
Whether the full DNS query has been seen.
boolean
zeek.dns.saw_reply
Whether the full DNS reply has been seen.
boolean
zeek.dns.total_answers
The total number of resource records in the reply.
integer
zeek.dns.total_replies
The total number of resource records in the reply message.
integer
zeek.dns.trans_id
DNS transaction identifier.
keyword
zeek.session_id
A unique identifier of the session
keyword

dpd

The dpd dataset collects the Zeek dpd.log, which contains dynamic protocol detection failures.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.dpd.analyzer
The analyzer that generated the violation.
keyword
zeek.dpd.failure_reason
The textual reason for the analysis failure.
keyword
zeek.dpd.packet_segment
(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) A chunk of the payload that most likely resulted in the protocol violation.
keyword
zeek.session_id
A unique identifier of the session
keyword

files

The files dataset collects the Zeek files.log file, which contains file analysis results.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
client.ip
IP address of the client.
ip
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.hash.md5
MD5 hash.
keyword
file.hash.sha1
SHA1 hash.
keyword
file.hash.sha256
SHA256 hash.
keyword
file.mime_type
Media type of file, document, or arrangement of bytes.
keyword
file.name
Name of the file including the extension, without the directory.
keyword
file.size
File size in bytes.
long
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
related.hash
All the hashes seen on your event.
keyword
related.ip
All of the IPs seen on your event.
ip
server.ip
IP address of the server.
ip
tags
List of keywords used to tag each event.
keyword
zeek.files.analyzers
A set of analysis types done during the file analysis.
keyword
zeek.files.depth
A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.
long
zeek.files.duration
The duration the file was analyzed for. Not the duration of the session.
double
zeek.files.entropy
The information density of the contents of the file.
double
zeek.files.extracted
Local filename of extracted file.
keyword
zeek.files.extracted_cutoff
Indicate whether the file being extracted was cut off hence not extracted completely.
boolean
zeek.files.extracted_size
The number of bytes extracted to disk.
long
zeek.files.filename
Name of the file if available.
keyword
zeek.files.fuid
A file unique identifier.
keyword
zeek.files.is_orig
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
boolean
zeek.files.local_orig
If the source of this file is a network connection, this field indicates if the data originated from the local network or not.
boolean
zeek.files.md5
An MD5 digest of the file contents.
keyword
zeek.files.mime_type
Mime type of the file.
keyword
zeek.files.missing_bytes
The number of bytes in the file stream that were completely missed during the process of analysis.
long
zeek.files.overflow_bytes
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled.
long
zeek.files.parent_fuid
Identifier associated with a container file from which this one was extracted as part of the file analysis.
keyword
zeek.files.rx_host
The host that received the file.
ip
zeek.files.seen_bytes
Number of bytes provided to the file analysis engine for the file.
long
zeek.files.session_ids
The sessions that have this file.
keyword
zeek.files.sha1
A SHA1 digest of the file contents.
keyword
zeek.files.sha256
A SHA256 digest of the file contents.
keyword
zeek.files.source
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
keyword
zeek.files.timedout
Whether the file analysis timed out at least once for the file.
boolean
zeek.files.total_bytes
Total number of bytes that are supposed to comprise the full file.
long
zeek.files.tx_host
The host that transferred the file.
ip
zeek.session_id
A unique identifier of the session
keyword

ftp

The ftp dataset collects the Zeek ftp.log file, which contains FTP activity.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.mime_type
Media type of file, document, or arrangement of bytes.
keyword
file.size
File size in bytes.
long
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
user.name
Short name or login of the user.
keyword
zeek.ftp.arg
Argument for the command if one is given.
keyword
zeek.ftp.capture_password
Determines if the password will be captured for this request.
boolean
zeek.ftp.cmdarg.arg
Argument for the command if one was given.
keyword
zeek.ftp.cmdarg.cmd
Command.
keyword
zeek.ftp.cmdarg.seq
Counter to track how many commands have been executed.
integer
zeek.ftp.command
Command given by the client.
keyword
zeek.ftp.cwd
Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use.
keyword
zeek.ftp.data_channel.originating_host
The host that will be initiating the data connection.
ip
zeek.ftp.data_channel.passive
Whether PASV mode is toggled for control channel.
boolean
zeek.ftp.data_channel.response_host
The host that will be accepting the data connection.
ip
zeek.ftp.data_channel.response_port
The port at which the acceptor is listening for the data connection.
integer
zeek.ftp.file.fuid
(present if base/protocols/ftp/files.bro is loaded) File unique ID.
keyword
zeek.ftp.file.mime_type
Sniffed mime type of file.
keyword
zeek.ftp.file.size
Size of the file if the command indicates a file transfer.
long
zeek.ftp.last_auth_requested
present if base/protocols/ftp/gridftp.bro is loaded. Last authentication/security mechanism that was used.
keyword
zeek.ftp.passive
Indicates if the session is in active or passive mode.
boolean
zeek.ftp.password
Password for the current FTP session if captured.
keyword
zeek.ftp.pending_commands
Queue for commands that have been sent but not yet responded to are tracked here.
integer
zeek.ftp.reply.code
Reply code from the server in response to the command.
integer
zeek.ftp.reply.msg
Reply message from the server in response to the command.
keyword
zeek.ftp.user
User name for the current FTP session.
keyword
zeek.session_id
A unique identifier of the session
keyword

http

The http dataset collects the Zeek http.log file, which contains HTTP requests and replies.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
http.request.body.bytes
Size in bytes of the request body.
long
http.request.method
HTTP request method.
keyword
http.request.referrer
Referrer for this HTTP request.
keyword
http.response.body.bytes
Size in bytes of the response body.
long
http.response.status_code
HTTP response status code.
long
http.version
HTTP version.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
url.domain
Domain of the url.
keyword
url.original
Unmodified original url as seen in the event source.
wildcard
url.password
Password of the request.
keyword
url.path
Path of the request, such as "/search".
wildcard
url.port
Port of the request, such as 443.
long
url.username
Username of the request.
keyword
user.name
Short name or login of the user.
keyword
user_agent.device.name
Name of the device.
keyword
user_agent.name
Name of the user agent.
keyword
user_agent.original
Unparsed user_agent string.
keyword
user_agent.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
user_agent.os.full
Operating system name, including the version or code name.
keyword
user_agent.os.kernel
Operating system kernel version as a raw string.
keyword
user_agent.os.name
Operating system name, without the version.
keyword
user_agent.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
user_agent.os.version
Operating system version as a raw string.
keyword
user_agent.version
Version of the user agent.
keyword
zeek.http.captured_password
Determines if the password will be captured for this request.
boolean
zeek.http.client_header_names
The vector of HTTP header names sent by the client. No header values are included here, just the header names.
keyword
zeek.http.info_code
Last seen 1xx informational reply code returned by the server.
integer
zeek.http.info_msg
Last seen 1xx informational reply message returned by the server.
keyword
zeek.http.orig_filenames
An ordered vector of filenames from the originator.
keyword
zeek.http.orig_fuids
An ordered vector of file unique IDs from the originator.
keyword
zeek.http.orig_mime_depth
Current number of MIME entities in the HTTP request message body.
integer
zeek.http.orig_mime_types
An ordered vector of mime types from the originator.
keyword
zeek.http.password
Password if basic-auth is performed for the request.
keyword
zeek.http.proxied
All of the headers that may indicate if the HTTP request was proxied.
keyword
zeek.http.range_request
Indicates if this request can assume 206 partial content in response.
boolean
zeek.http.resp_filenames
An ordered vector of filenames from the responder.
keyword
zeek.http.resp_fuids
An ordered vector of file unique IDs from the responder.
keyword
zeek.http.resp_mime_depth
Current number of MIME entities in the HTTP response message body.
integer
zeek.http.resp_mime_types
An ordered vector of mime types from the responder.
keyword
zeek.http.server_header_names
The vector of HTTP header names sent by the server. No header values are included here, just the header names.
keyword
zeek.http.status_msg
Status message returned by the server.
keyword
zeek.http.tags
A set of indicators of various attributes discovered and related to a particular request/response pair.
keyword
zeek.http.trans_depth
Represents the pipelined depth into the connection of this request/response transaction.
integer
zeek.session_id
A unique identifier of the session
keyword

intel

The intel dataset collects the Zeek intel.log file, which contains intelligence data matches.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.original
Raw text message of entire event.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.intel.file_desc
Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out.
keyword
zeek.intel.file_mime_type
A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.
keyword
zeek.intel.fuid
If a file was associated with this intelligence hit, this is the uid for the file.
keyword
zeek.intel.matched
Event to represent a match in the intelligence data from data that was seen.
keyword
zeek.intel.seen.conn
If the data was discovered within a connection, the connection record should go here to give context to the data.
keyword
zeek.intel.seen.f
If the data was discovered within a file, the file record should go here to provide context to the data.
object
zeek.intel.seen.fuid
If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.
keyword
zeek.intel.seen.host
If the indicator type was Intel::ADDR, then this field will be present.
keyword
zeek.intel.seen.indicator
The intelligence indicator.
keyword
zeek.intel.seen.indicator_type
The type of data the indicator represents.
keyword
zeek.intel.seen.node
The name of the node where the match was discovered.
keyword
zeek.intel.seen.uid
If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.
keyword
zeek.intel.seen.where
Where the data was discovered.
keyword
zeek.intel.sources
Sources which supplied data for this match.
keyword
zeek.session_id
A unique identifier of the session
keyword

irc

The irc dataset collects the Zeek irc.log file, which contains IRC commands and responses.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.mime_type
Media type of file, document, or arrangement of bytes.
keyword
file.name
Name of the file including the extension, without the directory.
keyword
file.size
File size in bytes.
long
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
user.name
Short name or login of the user.
keyword
zeek.irc.addl
Any additional data for the command.
keyword
zeek.irc.command
Command given by the client.
keyword
zeek.irc.dcc.file.name
Present if base/protocols/irc/dcc-send.bro is loaded. DCC filename requested.
keyword
zeek.irc.dcc.file.size
Present if base/protocols/irc/dcc-send.bro is loaded. Size of the DCC transfer as indicated by the sender.
long
zeek.irc.dcc.mime_type
present if base/protocols/irc/dcc-send.bro is loaded. Sniffed mime type of the file.
keyword
zeek.irc.fuid
present if base/protocols/irc/files.bro is loaded. File unique ID.
keyword
zeek.irc.nick
Nickname given for the connection.
keyword
zeek.irc.user
Username given for the connection.
keyword
zeek.irc.value
Value for the command given by the client.
keyword
zeek.session_id
A unique identifier of the session
keyword

kerberos

The kerberos dataset collects the Zeek kerberos.log file, which contains kerberos data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
client.address
Client network address.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
server.address
Server network address.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
tls.client.x509.subject.common_name
List of common names (CN) of subject.
keyword
tls.client.x509.subject.country
List of country (C) code
keyword
tls.client.x509.subject.locality
List of locality names (L)
keyword
tls.client.x509.subject.organization
List of organizations (O) of subject.
keyword
tls.client.x509.subject.organizational_unit
List of organizational units (OU) of subject.
keyword
tls.client.x509.subject.state_or_province
List of state or province names (ST, S, or P)
keyword
tls.server.x509.subject.common_name
List of common names (CN) of subject.
keyword
tls.server.x509.subject.country
List of country (C) code
keyword
tls.server.x509.subject.locality
List of locality names (L)
keyword
tls.server.x509.subject.organization
List of organizations (O) of subject.
keyword
tls.server.x509.subject.organizational_unit
List of organizational units (OU) of subject.
keyword
tls.server.x509.subject.state_or_province
List of state or province names (ST, S, or P)
keyword
user.domain
Name of the directory the user is a member of.
keyword
user.name
Short name or login of the user.
keyword
zeek.kerberos.cert.client.fuid
File unique ID of client cert.
keyword
zeek.kerberos.cert.client.subject
Subject of client certificate.
keyword
zeek.kerberos.cert.client.value
Client certificate.
keyword
zeek.kerberos.cert.server.fuid
File unique ID of server certificate.
keyword
zeek.kerberos.cert.server.subject
Subject of server certificate.
keyword
zeek.kerberos.cert.server.value
Server certificate.
keyword
zeek.kerberos.cipher
Ticket encryption type.
keyword
zeek.kerberos.client
Client name.
keyword
zeek.kerberos.error.code
Error code.
integer
zeek.kerberos.error.msg
Error message.
keyword
zeek.kerberos.forwardable
Forwardable ticket requested.
boolean
zeek.kerberos.renewable
Renewable ticket requested.
boolean
zeek.kerberos.request_type
Request type - Authentication Service (AS) or Ticket Granting Service (TGS).
keyword
zeek.kerberos.service
Service name.
keyword
zeek.kerberos.success
Request result.
boolean
zeek.kerberos.ticket.auth
Hash of ticket used to authorize request/transaction.
keyword
zeek.kerberos.ticket.new
Hash of ticket returned by the KDC.
keyword
zeek.kerberos.valid.days
Number of days the ticket is valid for.
integer
zeek.kerberos.valid.from
Ticket valid from.
date
zeek.kerberos.valid.until
Ticket valid until.
date
zeek.session_id
A unique identifier of the session
keyword

modbus

The modbus dataset collects the Zeek modbus.log file, which contains modbus commands and responses.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.modbus.exception
The exception if the response was a failure.
keyword
zeek.modbus.function
The name of the function message that was sent.
keyword
zeek.modbus.track_address
Present if policy/protocols/modbus/track-memmap.bro is loaded. Modbus track address.
integer
zeek.session_id
A unique identifier of the session
keyword

mysql

The mysql dataset collects the Zeek mysql.log file, which contains MySQL data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Date/time when the event was first read by an agent, or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.mysql.arg
The argument issued to the command.
keyword
zeek.mysql.cmd
The command that was issued.
keyword
zeek.mysql.response
Server message, if any.
keyword
zeek.mysql.rows
The number of affected rows, if any.
integer
zeek.mysql.success
Whether the command succeeded.
boolean
zeek.session_id
A unique identifier of the session
keyword

notice

The notice dataset collects the Zeek notice.log file, which contains Zeek notices.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.mime_type
Media type of file, document, or arrangement of bytes.
keyword
file.size
File size in bytes.
long
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
rule.description
Rule description
keyword
rule.name
Rule name
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.notice.actions
The actions which have been applied to this notice.
keyword
zeek.notice.connection_id
Identifier of the related connection session.
keyword
zeek.notice.dropped
Indicate if the source IP address was dropped and denied network access.
boolean
zeek.notice.email_body_sections
By adding chunks of text into this element, other scripts can expand on notices that are being emailed.
text
zeek.notice.email_delay_tokens
Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration.
keyword
zeek.notice.ffile.total_bytes
Total number of bytes that are supposed to comprise the full file.
long
zeek.notice.file.id
An identifier associated with a single file that is related to this notice.
keyword
zeek.notice.file.is_orig
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.
boolean
zeek.notice.file.mime_type
A mime type if the notice is related to a file.
keyword
zeek.notice.file.missing_bytes
The number of bytes in the file stream that were completely missed during the process of analysis.
long
zeek.notice.file.overflow_bytes
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled.
long
zeek.notice.file.parent_id
Identifier associated with a container file from which this one was extracted.
keyword
zeek.notice.file.seen_bytes
Number of bytes provided to the file analysis engine for the file.
long
zeek.notice.file.source
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.
keyword
zeek.notice.fuid
A file unique ID if this notice is related to a file.
keyword
zeek.notice.icmp_id
Identifier of the related ICMP session.
keyword
zeek.notice.identifier
This field is provided when a notice is generated for the purpose of deduplicating notices.
keyword
zeek.notice.msg
The human readable message for the notice.
keyword
zeek.notice.n
Associated count, or a status code.
long
zeek.notice.note
The type of the notice.
keyword
zeek.notice.peer_descr
Textual description for the peer that raised this notice.
text
zeek.notice.peer_name
Name of remote peer that raised this notice.
keyword
zeek.notice.sub
The human readable sub-message.
keyword
zeek.notice.suppress_for
This field indicates the length of time that this unique notice should be suppressed.
double
zeek.session_id
A unique identifier of the session
keyword

ntlm

The ntlm dataset collects the Zeek ntlm.log file, which contains NT LAN Manager(NTLM) data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
file.path
Full path to the log file this event came from.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
user.domain
Name of the directory the user is a member of.
keyword
user.name
Short name or login of the user.
keyword
zeek.ntlm.domain
Domain name given by the client.
keyword
zeek.ntlm.hostname
Hostname given by the client.
keyword
zeek.ntlm.server.name.dns
DNS name given by the server in a CHALLENGE.
keyword
zeek.ntlm.server.name.netbios
NetBIOS name given by the server in a CHALLENGE.
keyword
zeek.ntlm.server.name.tree
Tree name given by the server in a CHALLENGE.
keyword
zeek.ntlm.success
Indicate whether or not the authentication was successful.
boolean
zeek.ntlm.username
Username given by the client.
keyword
zeek.session_id
A unique identifier of the session
keyword

ocsp

The ocsp dataset collects the Zeek ocsp.log file, which contains Online Certificate Status Protocol (OCSP) data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
file.path
Full path to the log file this event came from.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.hash
All the hashes seen on your event.
keyword
tags
List of keywords used to tag each event.
keyword
zeek.ocsp.file_id
File id of the OCSP reply.
keyword
zeek.ocsp.hash.algorithm
Hash algorithm used to generate issuerNameHash and issuerKeyHash.
keyword
zeek.ocsp.hash.issuer.key
Hash of the issuer's public key.
keyword
zeek.ocsp.hash.issuer.name
Hash of the issuer's distingueshed name.
keyword
zeek.ocsp.revoke.date
Time at which the certificate was revoked.
date
zeek.ocsp.revoke.reason
Reason for which the certificate was revoked.
keyword
zeek.ocsp.serial_number
Serial number of the affected certificate.
keyword
zeek.ocsp.status
Status of the affected certificate.
keyword
zeek.ocsp.update.next
The latest time at which new information about the status of the certificate will be available.
date
zeek.ocsp.update.this
The time at which the status being shows is known to have been correct.
date
zeek.session_id
A unique identifier of the session
keyword

pe

The pe dataset collects the Zeek pe.log file, which contains portable executable data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
tags
List of keywords used to tag each event.
keyword
zeek.pe.client
The client's version string.
keyword
zeek.pe.compile_time
The time that the file was created at.
date
zeek.pe.has_cert_table
Does the file have an attribute certificate table?
boolean
zeek.pe.has_debug_data
Does the file have a debug table?
boolean
zeek.pe.has_export_table
Does the file have an export table?
boolean
zeek.pe.has_import_table
Does the file have an import table?
boolean
zeek.pe.id
File id of this portable executable file.
keyword
zeek.pe.is_64bit
Is the file a 64-bit executable?
boolean
zeek.pe.is_exe
Is the file an executable, or just an object file?
boolean
zeek.pe.machine
The target machine that the file was compiled for.
keyword
zeek.pe.os
The required operating system.
keyword
zeek.pe.section_names
The names of the sections, in order.
keyword
zeek.pe.subsystem
The subsystem that is required to run this file.
keyword
zeek.pe.uses_aslr
Does the file support Address Space Layout Randomization?
boolean
zeek.pe.uses_code_integrity
Does the file enforce code integrity checks?
boolean
zeek.pe.uses_dep
Does the file support Data Execution Prevention?
boolean
zeek.pe.uses_seh
Does the file use structured exception handing?
boolean
zeek.session_id
A unique identifier of the session
keyword

radius

The radius dataset collects the Zeek radius.log file, which contains RADIUS authentication attempts.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names seen on your event.
keyword
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
user.name
Short name or login of the user.
keyword
zeek.radius.connect_info
Connect info, if present.
keyword
zeek.radius.framed_addr
The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
ip
zeek.radius.logged
Whether this has already been logged and can be ignored.
boolean
zeek.radius.mac
MAC address, if present.
keyword
zeek.radius.remote_ip
Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute.
ip
zeek.radius.reply_msg
Reply message from the server challenge. This is frequently shown to the user authenticating.
keyword
zeek.radius.result
Successful or failed authentication.
keyword
zeek.radius.ttl
The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen.
integer
zeek.radius.username
The username, if present.
keyword
zeek.session_id
A unique identifier of the session
keyword

rdp

The rdp dataset collects the Zeek rdp.log file, which contains RDP data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
tls.established
Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.
boolean
zeek.rdp.cert.count
The number of certs seen. X.509 can transfer an entire certificate chain.
integer
zeek.rdp.cert.permanent
Indicates if the provided certificate or certificate chain is permanent or temporary.
boolean
zeek.rdp.cert.type
If the connection is being encrypted with native RDP encryption, this is the type of cert being used.
keyword
zeek.rdp.client.build
RDP client version used by the client machine.
keyword
zeek.rdp.client.client_name
Name of the client machine.
keyword
zeek.rdp.client.product_id
Product ID of the client machine.
keyword
zeek.rdp.cookie
Cookie value used by the client machine. This is typically a username.
keyword
zeek.rdp.desktop.color_depth
The color depth requested by the client in the high_color_depth field.
keyword
zeek.rdp.desktop.height
Desktop height of the client machine.
integer
zeek.rdp.desktop.width
Desktop width of the client machine.
integer
zeek.rdp.done
Track status of logging RDP connections.
boolean
zeek.rdp.encryption.level
Encryption level of the connection.
keyword
zeek.rdp.encryption.method
Encryption method of the connection.
keyword
zeek.rdp.keyboard_layout
Keyboard layout (language) of the client machine.
keyword
zeek.rdp.result
Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages.
keyword
zeek.rdp.security_protocol
Security protocol chosen by the server.
keyword
zeek.rdp.ssl
(present if policy/protocols/rdp/indicate_ssl.bro is loaded) Flag the connection if it was seen over SSL.
boolean
zeek.session_id
A unique identifier of the session
keyword

rfb

The rfb dataset collects the Zeek rfb.log file, which contains Remote Framebuffer (RFB) data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword
related.ip
All of the IPs seen on your event.
ip
source.address
Source network address.
keyword
source.as.number
Unique number allocated to the autonomous system.
long
source.as.organization.name
Organization name.
keyword
source.geo.city_name
City name.
keyword
source.geo.continent_name
Name of the continent.
keyword
source.geo.country_iso_code
Country ISO code.
keyword
source.geo.country_name
Country name.
keyword
source.geo.location
Longitude and latitude.
geo_point
source.geo.name
User-defined description of a location.
keyword
source.geo.region_iso_code
Region ISO code.
keyword
source.geo.region_name
Region name.
keyword
source.ip
IP address of the source.
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
zeek.rfb.auth.method
Identifier of authentication method used.
keyword
zeek.rfb.auth.success
Whether or not authentication was successful.
boolean
zeek.rfb.desktop_name
Name of the screen that is being shared.
keyword
zeek.rfb.height
Height of the screen that is being shared.
integer
zeek.rfb.share_flag
Whether the client has an exclusive or a shared session.
boolean
zeek.rfb.version.client.major
Major version of the client.
keyword
zeek.rfb.version.client.minor
Minor version of the client.
keyword
zeek.rfb.version.server.major
Major version of the server.
keyword
zeek.rfb.version.server.minor
Minor version of the server.
keyword
zeek.rfb.width
Width of the screen that is being shared.
integer
zeek.session_id
A unique identifier of the session
keyword

sip

The sip dataset collects the Zeek sip.log file, which contains SIP data.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.address
Destination network address.
keyword
destination.as.number
Unique number allocated to the autonomous system.
long
destination.as.organization.name
Organization name.
keyword
destination.geo.city_name
City name.
keyword
destination.geo.continent_name
Name of the continent.
keyword
destination.geo.country_iso_code
Country ISO code.
keyword
destination.geo.country_name
Country name.
keyword
destination.geo.location
Longitude and latitude.
geo_point
destination.geo.name
User-defined description of a location.
keyword
destination.geo.region_iso_code
Region ISO code.
keyword
destination.geo.region_name
Region name.
keyword
destination.ip
IP address of the destination.
ip
destination.port
Port of the destination.
long
ecs.version
ECS version this event conforms to.
keyword
error.message
Error message.
text
event.action
The action captured by the event.
keyword
event.category
Event category. The second categorization field in the hierarchy.
keyword
event.created
Time when the event was first read by an agent or by your pipeline.
date
event.dataset
Event dataset
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store.
date
event.kind
The kind of the event. The highest categorization field in the hierarchy.
keyword
event.module
Event module
constant_keyword
event.outcome
The outcome of the event. The lowest level categorization field in the hierarchy.
keyword
event.type
Event type. The third categorization field in the hierarchy.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Type of Filebeat input.
keyword
log.file.path
Full path to the log file this event came from.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
network.community_id
A hash of source and destination IPs and ports.
keyword
network.protocol
L7 Network protocol name.
keyword
network.transport
Protocol Name corresponding to the field iana_number.
keyword