The following lists field names as they are formatted in Zeek logs, then processed by Logstash and ingested into Elasticsearch.
The original field name (from Zeek) appears on the left, and if changed, the updated name or formatting of the field (Elasticsearch) will appear on the right.
(Zeek => Elastic)
Dictionary S0 "Connection attempt seen, no reply" S1 "Connection established, not terminated" S2 "Connection established and close attempt by originator seen (but no reply from responder)" S3 "Connection established and close attempt by responder seen (but no reply from originator)" SF "Normal SYN/FIN completion" REJ "Connection attempt rejected" RSTO "Connection established, originator aborted (sent a RST)" RSTR "Established, responder aborted" RSTOS0 "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" RSTRH "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" SH "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" SHR "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" OTH "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
- => request_host
- => request_name
request_p => request_port
- => bound_host
- => bound_name
bound_p => bound_port
CN => "certificate_common_name" C => "certificate_country_code" O => "certificate_organization" OU => "certificate_organization_unit" ST => "certificate_state" SN => "certificate_surname" L => "certificate_locality" GN => "certificate_given_name" pseudonym => "certificate_pseudonym" serialNumber => "certificate_serial_number" title => "certificate_title" initials" => "certificate_initials"
CN => "issuer_common_name" C => "issuer_country_code" O => "issuer_organization" OU => "issuer_organization_unit" ST => "issuer_state" SN => "issuer_surname" L => "issuer_locality" DC => "issuer_distinguished_name" GN => "issuer_given_name" pseudonym => "issuer_pseudonym" serialNumber => "issuer_serial_number" title => "issuer_title" initials => "issuer_initials"
The following fields are formatted as a URL within Kibana, so we can easily pivot from them to the Indicator dashboard by clicking on them: