Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve ECS categorization field mappings for zeek module #17738

Merged
merged 4 commits into from
Apr 29, 2020
Merged

[Filebeat] Improve ECS categorization field mappings for zeek module #17738

merged 4 commits into from
Apr 29, 2020

Conversation

leehinman
Copy link
Contributor

What does this PR do?

Updates the filesets of zeek module to ECS 1.5

Why is it important?

ECS categorization fields improve experience in SIEM module and across inputs from different sources.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=zeek mage -v pythonIntegTest

Related issues

Closes #16029

Changes to each Fileset

  • capture_loss
    • convert pipeline to yaml
    • event.kind
    • event.type
  • connection
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
  • dce_rpc
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.action
    • related.ip
    • source.geo
    • destination.geo
  • dhcp
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
  • dnp3
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.action
    • related.ip
    • source.geo
    • destination.geo
    • source.as
    • destiantion.as
  • dns
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • dns.question.top_level_domain
    • related.ip
  • dpd
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • source.geo
    • destiantion.geo
    • source.as
    • destiantion.as
    • related.ip
  • files
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • file.mime_type
    • file.name
    • file.hash.md5
    • file.hash.sha1
    • file.hash.sha256
    • client.ip
    • server.ip
    • related.ip
    • related.hash
  • ftp
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.action
    • user.name
    • file.mime_type
    • file.size
    • related.ip
    • related.user
    • source.geo
    • destination.geo
  • http
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • event.action
    • url.port type to number
    • http.request.method lowercase
    • related.ip
    • related.users
  • intel
    • event.kind
    • event.type
    • related.ip
  • irc
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.action
    • user.name
    • file.name
    • file.size
    • file.mime_type
    • related.ip
    • related.user
    • source.geo
    • destination.geo
  • kerberos
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • event.action
    • user.name
    • user.domain
    • source.geo
    • destination.geo
    • related.ip
    • related.user
  • modbus
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • event.action
    • related.ip
    • source.geo
    • destination.geo
  • mysql
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • source.geo
    • destiantion.geo
    • related.ip
  • notice
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • file.size
    • file.mime_type
    • rule.description
    • rule.name
  • ntlm
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • user.name
    • user.domain
    • source.geo
    • destination.geo
    • related.ip
    • related.user
  • ocsp
    • convert pipeline to yaml
    • event.kind
    • related.hash
  • pe
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
  • radius
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • user.name
    • source.geo
    • destination.geo
    • related.ip
    • related.user
  • rdp
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • rfb
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • sip
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • event.action
    • related.ip
    • source.geo
    • destination.geo
    • url.full
  • smb_cmd
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • event.action
    • related.ip
    • related.user
    • source.geo
    • destination.geo
    • user.name
  • smb_files
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.action
    • related.ip
    • related.user
    • source.geo
    • destination.geo
    • user.name
    • file.accessed
    • file.ctime
    • file.created
    • file.mtime
    • file.path
    • file.name
    • file.size
  • smb_mapping
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • smtp
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • snmp
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • socks
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • related.ip
    • source.geo
    • destination.geo
    • user.name
    • related.user
  • ssh
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • event.outcome
    • related.ip
    • source.geo
    • destination.geo
  • ssl
    • event.kind
    • event.category
    • event.type
    • related.ip
  • stats
    • convert pipeline to yaml
    • event.kind
  • syslog
    • convert pipeline to yaml
    • event.kind
    • related.ip
    • source.geo
    • destination.geo
    • log.syslog.facility.name
    • log.syslog.severity.name
  • traceroute
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • tunnel
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
  • weird
    • convert pipeline to yaml
    • event.kind
    • event.category
    • event.type
    • related.ip
    • source.geo
    • destination.geo
    • rule.name
  • x509
    • event.kind
    • event.type

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM ecs labels Apr 15, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve ECS categorization field mappings for zeek module
cd90014 
- capture_loss
  + convert pipeline to yaml
  + event.kind
  + event.type
- connection
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dce_rpc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- dhcp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dnp3
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + source.as
  + destiantion.as
- dns
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + dns.question.top_level_domain
  + related.ip
- dpd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + source.geo
  + destiantion.geo
  + source.as
  + destiantion.as
  + related.ip
- files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + file.mime_type
  + file.name
  + file.hash.md5
  + file.hash.sha1
  + file.hash.sha256
  + client.ip
  + server.ip
  + related.ip
  + related.hash
- ftp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.mime_type
  + file.size
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- http
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + url.port type to number
  + http.request.method lowercase
  + related.ip
  + related.users
- intel
  + event.kind
  + event.type
  + related.ip
- irc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.name
  + file.size
  + file.mime_type
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- kerberos
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- modbus
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- mysql
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + source.geo
  + destiantion.geo
  + related.ip
- notice
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + file.size
  + file.mime_type
  + rule.description
  + rule.name
- ntlm
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- ocsp
  + convert pipeline to yaml
  + event.kind
  + related.hash
- pe
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
- radius
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- rdp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- rfb
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- sip
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + url.full
- smb_cmd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
- smb_files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
  + file.accessed
  + file.ctime
  + file.created
  + file.mtime
  + file.path
  + file.name
  + file.size
- smb_mapping
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- smtp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- snmp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- socks
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
  + user.name
  + related.user
- ssh
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
- ssl
  + event.kind
  + event.category
  + event.type
  + related.ip
- stats
  + convert pipeline to yaml
  + event.kind
- syslog
  + convert pipeline to yaml
  + event.kind
  + related.ip
  + source.geo
  + destination.geo
  + log.syslog.facility.name
  + log.syslog.severity.name
- traceroute
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- tunnel
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- weird
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
  + rule.name
- x509
  + event.kind
  + event.type

Closes elastic#16029
andrewkroh
andrewkroh reviewed Apr 23, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

51/168 files viewed 😄

Looks good so far. Will continue soon.

x-pack/filebeat/module/zeek/dns/config/dns.yml Outdated
@@ -105,12 +110,54 @@ processors:
evt.Put("event.duration", rttSec * 1000000000);
}

function addTopLevelDomain(evt) {
var rd = evt.Get("dns.question.registered_domain");
if (rd == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (rd == null) {
if (!rd) {

This covers both null and undefined.

x-pack/filebeat/module/zeek/files/ingest/pipeline.yml Show resolved Hide resolved
x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml Outdated
zeek.kerberos.client: "/"
tokenizer: "%{user.name}/%{user.domain}"
field: zeek.kerberos.client
target_prefix: ""
{{ if .community_id }}
- community_id:
fields:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could drop the fields here too now.

x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml Outdated
- add_fields:
target: event
fields:
outcome: failure
{{ if .community_id }}
- community_id:
fields:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fields can be removed. The defaults will work I think.

@leehinman
Address feedback
dd4bcb9 
- use defaults for community_id
- fix JS null & undefined check
- consistently set source.ip & destination.ip in config scripts
@leehinman
make client.ip & server.ip type IP not array
f4b3647
andrewkroh
andrewkroh approved these changes Apr 27, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Nice job!

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 1179
Skipped 124
Total 1303

@leehinman leehinman merged commit b552dd8 into elastic:master Apr 29, 2020
@leehinman leehinman deleted the 16029_zeek_ecs_1.4 branch April 29, 2020 01:51
@leehinman leehinman mentioned this pull request Apr 29, 2020
Merged
3 tasks
@leehinman leehinman added v7.8.0 and removed needs_backport PR is waiting to be backported to other branches. labels Apr 29, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Apr 29, 2020
@leehinman
[Filebeat] Improve ECS categorization field mappings for zeek module (e…
6661160 
…lastic#17738)

* Improve ECS categorization field mappings for zeek module

- capture_loss
  + convert pipeline to yaml
  + event.kind
  + event.type
- connection
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dce_rpc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- dhcp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dnp3
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + source.as
  + destiantion.as
- dns
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + dns.question.top_level_domain
  + related.ip
- dpd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + source.geo
  + destiantion.geo
  + source.as
  + destiantion.as
  + related.ip
- files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + file.mime_type
  + file.name
  + file.hash.md5
  + file.hash.sha1
  + file.hash.sha256
  + client.ip
  + server.ip
  + related.ip
  + related.hash
- ftp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.mime_type
  + file.size
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- http
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + url.port type to number
  + http.request.method lowercase
  + related.ip
  + related.users
- intel
  + event.kind
  + event.type
  + related.ip
- irc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.name
  + file.size
  + file.mime_type
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- kerberos
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- modbus
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- mysql
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + source.geo
  + destiantion.geo
  + related.ip
- notice
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + file.size
  + file.mime_type
  + rule.description
  + rule.name
- ntlm
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- ocsp
  + convert pipeline to yaml
  + event.kind
  + related.hash
- pe
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
- radius
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- rdp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- rfb
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- sip
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + url.full
- smb_cmd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
- smb_files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
  + file.accessed
  + file.ctime
  + file.created
  + file.mtime
  + file.path
  + file.name
  + file.size
- smb_mapping
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- smtp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- snmp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- socks
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
  + user.name
  + related.user
- ssh
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
- ssl
  + event.kind
  + event.category
  + event.type
  + related.ip
- stats
  + convert pipeline to yaml
  + event.kind
- syslog
  + convert pipeline to yaml
  + event.kind
  + related.ip
  + source.geo
  + destination.geo
  + log.syslog.facility.name
  + log.syslog.severity.name
- traceroute
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- tunnel
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- weird
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
  + rule.name
- x509
  + event.kind
  + event.type

Closes elastic#16029

(cherry picked from commit b552dd8)
leehinman added a commit that referenced this pull request May 4, 2020
@leehinman
[Filebeat] Improve ECS categorization field mappings for zeek module (#…
878affb 
…17738) (#18076)

* Improve ECS categorization field mappings for zeek module

- capture_loss
  + convert pipeline to yaml
  + event.kind
  + event.type
- connection
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dce_rpc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- dhcp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
- dnp3
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + source.as
  + destiantion.as
- dns
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + dns.question.top_level_domain
  + related.ip
- dpd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + source.geo
  + destiantion.geo
  + source.as
  + destiantion.as
  + related.ip
- files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + file.mime_type
  + file.name
  + file.hash.md5
  + file.hash.sha1
  + file.hash.sha256
  + client.ip
  + server.ip
  + related.ip
  + related.hash
- ftp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.mime_type
  + file.size
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- http
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + url.port type to number
  + http.request.method lowercase
  + related.ip
  + related.users
- intel
  + event.kind
  + event.type
  + related.ip
- irc
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + user.name
  + file.name
  + file.size
  + file.mime_type
  + related.ip
  + related.user
  + source.geo
  + destination.geo
- kerberos
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- modbus
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
- mysql
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + source.geo
  + destiantion.geo
  + related.ip
- notice
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + file.size
  + file.mime_type
  + rule.description
  + rule.name
- ntlm
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + user.domain
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- ocsp
  + convert pipeline to yaml
  + event.kind
  + related.hash
- pe
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
- radius
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + user.name
  + source.geo
  + destination.geo
  + related.ip
  + related.user
- rdp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- rfb
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- sip
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + source.geo
  + destination.geo
  + url.full
- smb_cmd
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
- smb_files
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.action
  + related.ip
  + related.user
  + source.geo
  + destination.geo
  + user.name
  + file.accessed
  + file.ctime
  + file.created
  + file.mtime
  + file.path
  + file.name
  + file.size
- smb_mapping
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- smtp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- snmp
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- socks
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
  + user.name
  + related.user
- ssh
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + event.outcome
  + related.ip
  + source.geo
  + destination.geo
- ssl
  + event.kind
  + event.category
  + event.type
  + related.ip
- stats
  + convert pipeline to yaml
  + event.kind
- syslog
  + convert pipeline to yaml
  + event.kind
  + related.ip
  + source.geo
  + destination.geo
  + log.syslog.facility.name
  + log.syslog.severity.name
- traceroute
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- tunnel
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
- weird
  + convert pipeline to yaml
  + event.kind
  + event.category
  + event.type
  + related.ip
  + source.geo
  + destination.geo
  + rule.name
- x509
  + event.kind
  + event.type

Closes #16029

(cherry picked from commit b552dd8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat v7.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Update zeek module to ECS 1.4
4 participants
@leehinman @elasticmachine @webmat @andrewkroh