Zeek 로그

Zeek 로그를 Panther Console에 연결하기

개요

Panther는 일반적인 방법으로 Zeek 로그를 수집하는 것을 지원합니다 데이터 전송 옵션: Amazon Web Services(AWS) S3 및 SQS.

Zeek 로그를 Panther에 온보딩하는 방법

이 로그를 Panther로 가져오려면:

Panther Console의 왼쪽 탐색 모음에서 구성하세요. > 로그 소스.
을 클릭한 다음 새로 만들기.
온보딩하려는 로그 유형을 검색한 다음 해당 타일을 클릭합니다.
이 통합에 사용할 데이터 전송 방법을 선택한 다음, 해당 방법을 구성하기 위한 Panther의 지침을 따르세요:
1. AWS SQS
2. AWS S3 버킷
Zeek를 구성하여 로그를 Data Transport 소스로 푸시합니다.
- 선택한 Data Transport 소스로 로그를 푸시하는 방법은 Zeek 문서를 참조하세요.

지원되는 로그 유형

Zeek.CaptureLoss

Zeek CaptureLoss는 패킷 캡처 프로세스가 측정 손실을 겪는 정도에 대한 근거를 기록합니다.

참조: Capture Loss

schema: Zeek.CaptureLoss
description: Zeek CaptureLoss. 패킷 캡처 프로세스가 측정 손실을 겪는 정도에 대한 근거를 기록합니다
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/capture-loss.zeek.html
fields:
  - name: acks
    required: true
    type: bigint
  - name: gaps
    required: true
    type: bigint
  - name: peer
    required: true
    type: string
  - name: percent_lost
    required: true
    type: float
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: ts_delta
    required: true
    type: float

Zeek.Conn

참조: conn.log

schema: Zeek.Conn
description: Zeek Conn
referenceURL: https://docs.zeek.org/en/master/logs/conn.html
fields:
  - 이름: service
    type: string
  - name: duration
    type: float
  - name: orig_bytes
    type: bigint
  - name: resp_bytes
    type: bigint
  - name: history
    type: string
  - name: conn_state
    required: true
    type: string
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: local_orig
    required: true
    type: boolean
  - name: local_resp
    required: true
    type: boolean
  - name: missed_bytes
    required: true
    type: bigint
  - name: orig_ip_bytes
    required: true
    type: bigint
  - name: orig_pkts
    required: true
    type: bigint
  - 이름: proto
    required: true
    type: string
  - name: resp_ip_bytes
    required: true
    type: bigint
  - name: resp_pkts
    required: true
    type: bigint
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - name: uid2
    type: string
    indicators:
      - trace_id

Zeek.DHCP

참조: dhcp.log

schema: Zeek.DHCP
description: Zeek DHCP
referenceURL: https://docs.zeek.org/en/master/logs/dhcp.html
fields:
  - name: host_name
    type: string
    indicators:
      - 도메인
  - name: requested_addr
    type: string
    indicators:
      - ip
  - name: duration
    required: true
    type: float
  - name: mac
    required: true
    type: string
    indicators:
      - mac
  - name: msg_types
    required: true
    type: array
    element:
      type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: uids
    required: true
    type: array
    element:
      type: string
      indicators:
        - trace_id

Zeek.DNS

Zeek DNS 활동

참조: Zeek 문서 - DNS::info

schema: Zeek.DNS
description: Zeek DNS 활동
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
fields:
  - name: ts
    required: true
    description: 연결된 연결을 통해 DNS 프로토콜 메시지가 관찰되는 가장 이른 시각.
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    description: DNS 메시지가 전송되는 연결의 고유 식별자.
    type: string
  - name: id.orig_h
    required: true
    description: 발신자의 IP 주소.
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    description: 발신자의 포트 번호.
    유형: int
  - name: id.resp_h
    required: true
    description: 응답자의 IP 주소.
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    description: 응답자의 포트 번호.
    유형: int
  - 이름: proto
    required: true
    description: 연결의 전송 계층 프로토콜.
    type: string
  - name: trans_id
    description: DNS 쿼리를 생성한 프로그램이 할당한 16비트 식별자. 응답에서도 진행 중인 쿼리에 대한 응답을 대응시키는 데 사용됨.
    유형: int
  - 이름: query
    description: DNS 쿼리의 대상이 되는 도메인 이름.
    type: string
    indicators:
      - 도메인
  - name: qclass
    description: 쿼리의 클래스를 지정하는 QCLASS 값.
    type: bigint
  - name: qclass_name
    description: 쿼리 클래스의 설명적인 이름.
    type: string
  - name: qtype
    description: 쿼리의 유형을 지정하는 QTYPE 값.
    type: bigint
  - name: qtype_name
    description: 쿼리 유형의 설명적인 이름.
    type: string
  - name: rcode
    description: DNS 응답 메시지의 응답 코드 값.
    type: bigint
  - name: rcode_name
    description: 응답 코드 값의 설명적인 이름.
    type: string
  - name: AA
    description: 응답 메시지의 Authoritative Answer 비트는 응답하는 이름 서버가 질문 섹션의 도메인 이름에 대한 권한자임을 지정합니다.
    type: boolean
  - name: TC
    description: Truncation 비트는 메시지가 잘렸음을 지정합니다.
    type: boolean
  - name: RD
    description: 요청 메시지의 Recursion Desired 비트는 클라이언트가 이 쿼리에 대해 재귀 서비스를 원함을 나타냅니다.
    type: boolean
  - name: RA
    description: 응답 메시지의 Recursion Available 비트는 이름 서버가 재귀 쿼리를 지원함을 나타냅니다.
    type: boolean
  - name: Z
    description: 일반적으로 쿼리와 응답에서 0인 예약 필드.
    type: bigint
  - name: answers
    description: 쿼리 응답의 리소스 설명 집합.
    type: array
    element:
      type: string
      indicators:
        - hostname
  - name: TTLs
    description: answers 필드에 설명된 관련 RR의 캐시 간격(초 단위).
    type: array
    element:
      type: float
  - name: rejected
    description: DNS 쿼리가 서버에 의해 거부됨.
    type: boolean

Zeek.DPD

Zeek 동적 프로토콜 디택션.

참조: dpd.log

schema: Zeek.DPD
description: Zeek 동적 프로토콜 디택션
referenceURL: https://docs.zeek.org/en/master/logs/dpd.html
fields:
  - name: analyzer
    required: true
    type: string
  - name: failure_reason
    required: true
    type: string
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - 이름: proto
    required: true
    type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id

Zeek.Files

참조: files.log

schema: Zeek.Files
description: Zeek Files
referenceURL: https://docs.zeek.org/en/master/logs/files.html
fields:
  - name: analyzers
    required: true
    type: array
    element:
      type: string
  - name: conn_uids
    required: true
    type: array
    element:
      type: string
      indicators:
        - trace_id
  - name: depth
    required: true
    type: bigint
  - name: duration
    required: true
    type: float
  - name: fuid
    required: true
    type: string
    indicators:
      - trace_id
  - name: is_orig
    required: true
    type: boolean
  - name: local_orig
    required: true
    type: boolean
  - name: md5
    required: true
    type: string
    indicators:
      - md5
  - name: mime_type
    type: string
  - name: missing_bytes
    required: true
    type: bigint
  - name: overflow_bytes
    required: true
    type: bigint
  - name: rx_hosts
    required: true
    type: array
    element:
      type: string
      indicators:
        - ip
  - name: seen_bytes
    required: true
    type: bigint
  - name: sha1
    required: true
    type: string
    indicators:
      - sha1
  - name: source
    required: true
    type: string
  - name: timedout
    required: true
    type: boolean
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: tx_hosts
    required: true
    type: array
    element:
      type: string
      indicators:
        - ip

Zeek.HTTP

참조: http.log

schema: Zeek.HTTP
description: Zeek HTTP 활동
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
fields:
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: trans_depth
    required: true
    type: bigint
  - 이름: method
    type: string
  - 이름: host
    type: string
    indicators:
      - 도메인
  - name: uri
    type: string
  - name: referrer
    type: string
  - 이름: version
    type: string
  - 이름: user_agent
    type: string
  - name: origin
    type: string
  - name: request_body_len
    type: bigint
  - name: response_body_len
    type: bigint
  - 이름: status_code
    type: bigint
  - name: status_msg
    type: string
  - name: info_code
    type: bigint
  - name: info_msg
    type: string
  - name: tags
    required: true
    type: json
  - 이름: username
    type: string
  - name: password
    type: string
  - name: capture_password
    type: boolean
  - name: proxied
    type: array
    element:
      type: string
  - name: range_request
    type: boolean
  - name: orig_fuids
    type: array
    element:
      type: string
      indicators:
        - trace_id
  - name: orig_filenames
    type: array
    element:
      type: string
  - name: orig_mime_types
    type: array
    element:
      type: string
  - name: resp_fuids
    type: array
    element:
      type: string
      indicators:
        - trace_id
  - name: resp_filenames
    type: array
    element:
      type: string
  - name: resp_mime_types
    type: array
    element:
      type: string
  - name: current_entity
    type: json
  - name: orig_mime_depth
    type: bigint
  - name: resp_mime_depth
    type: bigint
  - name: client_header_names
    type: array
    element:
      type: string
  - name: server_header_names
    type: array
    element:
      type: string
  - name: omniture
    type: boolean
  - name: flash_version
    type: string
  - name: cookie_vars
    type: array
    element:
      type: string
  - name: uri_vars
    type: array
    element:
      type: string

Zeek.KnownHosts

Zeek Known Hosts - TCP 연결을 완료한 호스트를 추적합니다.

참조: known-hosts.log

schema: Zeek.KnownHosts
description: Zeek Known Hosts - TCP 연결을 완료한 호스트를 추적합니다
referenceURL: https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-hosts.zeek.html
fields:
  - name: ts
    required: true
    description: 호스트가 탐지된 시각.
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: host
    required: true
    description: TCP 연결의 발신 또는 응답으로 탐지된 주소.
    type: string
    indicators:
      - ip

Zeek.KnownServices

known-services 로그의 열 필드를 포함하는 레코드 유형.

참조: known-services.log

schema: Zeek.KnownServices
description: known-services 로그의 열 필드를 포함하는 레코드 유형
referenceURL: https://docs.zeek.org/en/master/scripts/policy/protocols/conn/known-services.zeek.html
fields:
  - name: ts
    required: true
    description: 서비스가 관찰된 시각
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: host
    required: true
    description: 서비스를 제공하는 시스템의 IP 주소
    type: string
    indicators:
      - ip
  - name: port_num
    required: true
    description: 서비스가 실행 중인 포트 번호
    type: bigint
  - name: port_proto
    required: true
    description: 서비스가 사용하는 전송 계층 프로토콜
    type: string
  - 이름: service
    required: true
    description: 서비스의 연결 페이로드와 일치하는 프로토콜 집합
    type: array
    element:
      type: string

Zeek.Notice

참조: notice.log

schema: Zeek.Notice
description: Zeek Notice 활동
referenceURL: https://docs.zeek.org/en/master/frameworks/notice.html
fields:
  - name: actions
    required: true
    type: array
    element:
      type: string
  - name: email_dest
    type: array
    element:
      type: string
  - name: dst
    type: string
    indicators:
      - ip
  - name: fuid
    type: string
    indicators:
      - trace_id
  - name: id.orig_h
    type: string
    indicators:
      - ip
  - name: id.orig_p
    type: bigint
  - name: id.resp_h
    type: string
    indicators:
      - ip
  - name: id.resp_p
    type: bigint
  - name: msg
    required: true
    type: string
  - name: note
    required: true
    type: string
  - name: p
    type: bigint
  - 이름: proto
    type: string
  - name: src
    type: string
    indicators:
      - ip
  - name: sub
    type: string
  - name: suppress_for
    required: true
    type: float
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    type: string
    indicators:
      - trace_id

Zeek.NTP

참조: ntp.log

schema: Zeek.NTP
description: Zeek 네트워크 시간 프로토콜 활동
referenceURL: https://docs.zeek.org/en/master/logs/ntp.html
fields:
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: mode
    required: true
    type: bigint
  - name: num_exts
    required: true
    type: bigint
  - name: org_time
    required: true
    type: float
  - name: poll
    required: true
    type: float
  - name: precision
    required: true
    type: float
  - name: rec_time
    required: true
    type: float
  - name: ref_id
    required: true
    type: string
  - name: ref_time
    required: true
    type: float
  - name: root_delay
    required: true
    type: float
  - name: root_disp
    required: true
    type: float
  - name: stratum
    required: true
    type: bigint
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - 이름: version
    required: true
    type: bigint
  - name: xmt_time
    required: true
    type: float

Zeek.OCSP

참조: ocsp.log


schema: Zeek.OCSP
description: Zeek 온라인 인증서 상태 프로토콜 활동
referenceURL: https://docs.zeek.org/en/v4.0.0/scripts/policy/files/x509/log-ocsp.zeek.html
fields:
  - name: certStatus
    required: true
    type: string
  - name: hashAlgorithm
    required: true
    type: string
  - name: id
    required: true
    type: string
  - name: issuerKeyHash
    required: true
    type: string
  - name: issuerNameHash
    required: true
    type: string
  - name: nextUpdate
    required: true
    type: timestamp
    timeFormats:
      - unix
  - name: serialNumber
    required: true
    type: string
  - name: revoketime
    type: timestamp
    timeFormats:
      - unix
  - name: revokereason
    type: string
  - name: thisUpdate
    required: true
    type: timestamp
    timeFormats:
      - unix
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true

Zeek.Reporter

Zeek 내부 경고 및 오류.

참조: reporter.log

schema: Zeek.Reporter
description: Zeek 내부 경고 및 오류
referenceURL: https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html
fields:
  - name: level
    required: true
    type: string
  - name: location
    required: true
    type: string
  - name: message
    required: true
    type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true

Zeek.SIP

이 스키마는 Zeek SIP 분석 로그를 나타냅니다.

참조: sip.log

schema: Zeek.SIP
description: Zeek SIP 분석
referenceURL: https://docs.zeek.org/en/master/scripts/base/protocols/sip/main.zeek.html#id2
fields:
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: trans_depth
    required: true
    type: bigint
  - 이름: method
    type: string
  - name: uri
    type: string
  - name: date
    type: string
  - name: request_from
    type: string
  - name: request_to
    type: string
  - name: response_from
    type: string
  - name: response_to
    type: string
  - name: reply_to
    type: string
  - name: call_id
    type: string
  - name: seq
    type: string
  - name: subject
    type: string
  - 이름: request_path
    type: array
    element:
      type: string
  - name: response_path
    type: array
    element:
      type: string
  - 이름: user_agent
    type: string
  - 이름: status_code
    type: bigint
  - name: status_msg
    type: string
  - name: warning
    type: string
  - name: request_body_len
    type: bigint
  - name: response_body_len
    type: bigint
  - name: content_type
    type: string

Zeek.Software

참조: software.log

schema: Zeek.Software
description: Zeek Software 활동
referenceURL: https://docs.zeek.org/en/master/logs/known-and-software.html#software-log
fields:
  - name: host_p
    description: host_p
    type: bigint
  - name: version.addl
    description: version.addl
    type: string
  - name: version.minor2
    description: version.minor2
    type: string
  - name: version.minor3
    description: version.minor3
    type: string
  - name: version.minor
    description: version.minor
    type: string
  - 이름: host
    required: true
    description: host
    type: string
    indicators:
      - ip
  - 이름: name
    required: true
    description: name
    type: string
  - name: software_type
    required: true
    description: software_type
    type: string
  - name: ts
    required: true
    description: ts
    type: timestamp
    timeFormat: unix
    isEventTime: true
  - name: unparsed_version
    required: true
    description: unparsed_version
    type: string
  - name: version.major
    description: version.major
    type: bigint

Zeek.SSH

참조: ssh.log

schema: Zeek.Ssh
description: Zeek ssh 활동
referenceURL: https://docs.zeek.org/en/current/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
fields:
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - 이름: version
    type: string
  - name: auth_success
    type: boolean
  - name: auth_attempts
    type: bigint
  - 이름: direction
    type: string
  - name: client
    type: string
  - name: server
    type: string
  - name: cipher_alg
    type: string
  - name: mac_alg
    type: string
  - name: compression_alg
    type: string
  - name: kex_alg
    type: string
  - name: host_key_alg
    type: string
  - name: host_key
    type: string

Zeek.SSL

참조: ssl.log

schema: Zeek.Ssl
description: Zeek SSL 활동
referenceURL: https://docs.zeek.org/en/master/logs/ssl.html
fields:
  - name: next_protocol
    type: string
  - name: cert_chain_fps
    type: array
    element:
      type: string
  - name: sni_matches_cert
    type: boolean
  - name: validation_status
    type: string
  - name: curve
    type: string
  - name: cipher
    type: string
  - name: established
    required: true
    type: boolean
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: resumed
    required: true
    type: boolean
  - name: server_name
    type: string
    indicators:
      - 도메인
  - name: ssl_history
    required: true
    type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id
  - 이름: version
    type: string

```

Zeek.Stats

참조: stats.log

schema: Zeek.Stats
description: Zeek 로그 메모리/패킷/지연 통계.
referenceURL: https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html
fields:
  - name: active_dns_requests
    required: true
    type: bigint
  - name: active_files
    required: true
    type: bigint
  - name: active_icmp_conns
    required: true
    type: bigint
  - name: active_tcp_conns
    required: true
    type: bigint
  - name: active_timers
    required: true
    type: bigint
  - name: active_udp_conns
    required: true
    type: bigint
  - name: bytes_recv
    required: true
    type: bigint
  - name: dns_requests
    required: true
    type: bigint
  - name: events_proc
    required: true
    type: bigint
  - name: events_queued
    required: true
    type: bigint
  - name: files
    required: true
    type: bigint
  - name: icmp_conns
    required: true
    type: bigint
  - name: mem
    required: true
    type: bigint
  - name: peer
    required: true
    type: string
  - name: pkt_lag
    required: true
    type: float
  - name: pkts_dropped
    required: true
    type: bigint
  - name: pkts_link
    required: true
    type: bigint
  - name: pkts_proc
    required: true
    type: bigint
  - name: reassem_file_size
    required: true
    type: bigint
  - name: reassem_frag_size
    required: true
    type: bigint
  - name: reassem_tcp_size
    required: true
    type: bigint
  - name: reassem_unknown_size
    required: true
    type: bigint
  - name: tcp_conns
    required: true
    type: bigint
  - name: timers
    required: true
    type: bigint
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: udp_conns
    required: true
    type: bigint

Zeek.Telemetry

카운터 및 게이지 메트릭을 기록하는 데 사용되는 레코드 유형.

참조: telemetry.log

schema: Zeek.Telemetry
description: 카운터 및 게이지 메트릭을 기록하는 데 사용되는 레코드 유형
referenceURL: https://docs.zeek.org/en/master/scripts/policy/frameworks/telemetry/log.zeek.html
fields:
  - name: ts
    required: true
    description: 보고 시각
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: peer
    required: true
    description: 이 로그를 생성한 Peer(메트릭이 발생한 클러스터 노드를 식별함)
    type: string
  - name: metric_type
    required: true
    description: 기본 메트릭 유형에 따라 "counter" 또는 "gauge" 값을 포함함
    type: string
  - 이름: name
    required: true
    description: 메트릭의 이름
    type: string
  - name: labels
    required: true
    description: 개별 레이블의 이름
    type: array
    element:
      type: string
  - name: label_values
    required: true
    description: labels에 나열된 레이블의 값
    type: array
    element:
      type: string
  - 이름: value
    required: true
    description: 이 메트릭의 값
    type: float

Zeek.Tunnel

Zeek의 tunnel.log의 목적은 캡슐화된 트래픽을 식별하는 것입니다.

참조: tunnel.log

schema: Zeek.Tunnel
description: Zeek의 tunnel.log의 목적은 캡슐화된 트래픽을 식별하는 것입니다.
referenceURL: https://docs.zeek.org/en/master/logs/tunnel.html
fields:
  - 이름: 동작
    required: true
    type: string
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: tunnel_type
    required: true
    type: string

Zeek.Weird

참조: weird.log

schema: Zeek.Weird
description: Zeek Weird 활동
referenceURL: https://docs.zeek.org/en/master/logs/weird-and-notice.html
fields:
  - name: source
    type: string
  - name: id.orig_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.orig_p
    required: true
    type: bigint
  - name: id.resp_h
    required: true
    type: string
    indicators:
      - ip
  - name: id.resp_p
    required: true
    type: bigint
  - 이름: name
    required: true
    type: string
  - name: notice
    required: true
    type: boolean
  - name: peer
    required: true
    type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - 이름: uid
    required: true
    type: string
    indicators:
      - trace_id

Zeek.X509

참조: x509.log

schema: Zeek.X509
description: Zeek X509
referenceURL: https://docs.zeek.org/en/master/logs/x509.html
fields:
  - name: certificate.curve
    type: string
  - name: certificate.exponent
    type: bigint
  - name: basic_constraints.ca
    required: true
    type: boolean
  - name: certificate.issuer
    required: true
    type: string
  - name: certificate.key_alg
    required: true
    type: string
  - name: certificate.key_length
    required: true
    type: bigint
  - name: certificate.key_type
    required: true
    type: string
  - name: certificate.not_valid_after
    required: true
    type: timestamp
    timeFormats:
      - unix
  - name: certificate.not_valid_before
    required: true
    type: timestamp
    timeFormats:
      - unix
  - name: certificate.serial
    required: true
    type: string
  - name: certificate.sig_alg
    required: true
    type: string
  - name: certificate.subject
    required: true
    type: string
  - name: certificate.version
    required: true
    type: string
  - name: client_cert
    required: true
    type: boolean
  - name: fingerprint
    required: true
    type: string
  - name: host_cert
    required: true
    type: boolean
  - name: san.dns
    required: true
    type: array
    element:
      type: string
  - name: ts
    required: true
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true

이전Wiz Webhook (Beta)다음Zendesk 로그

마지막 업데이트 4개월 전

도움이 되었나요?