›

Suricata Integration

Version	2.21.4 (View all)
Compatible Kibana version(s)	8.7.1 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Elastic

This integration is for Suricata. It reads the EVE JSON output file. The EVE output writes alerts, anomalies, metadata, file info and protocol specific records as JSON.

Compatibility

edit

This module has been developed against Suricata v4.0.4, but is expected to work with other versions of Suricata.

EVE

edit

Example

An example event for eve looks as following:

{
    "@timestamp": "2018-07-05T19:01:09.820Z",
    "agent": {
        "ephemeral_id": "58adcb6e-5d0e-4822-98a4-8d93557f8f2e",
        "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.0"
    },
    "data_stream": {
        "dataset": "suricata.eve",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "address": "192.168.253.112",
        "ip": "192.168.253.112",
        "port": 22
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "0a5c1566-c6fd-4e91-b96d-4083445a000e",
        "snapshot": false,
        "version": "8.9.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "created": "2023-08-08T15:09:13.171Z",
        "dataset": "suricata.eve",
        "ingested": "2023-08-08T15:09:14Z",
        "kind": "event",
        "type": [
            "protocol"
        ]
    },
    "input": {
        "type": "log"
    },
    "log": {
        "file": {
            "path": "/tmp/service_logs/eve-small.ndjson"
        },
        "offset": 0
    },
    "network": {
        "community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=",
        "protocol": "ssh",
        "transport": "tcp"
    },
    "related": {
        "ip": [
            "192.168.86.85",
            "192.168.253.112"
        ]
    },
    "source": {
        "address": "192.168.86.85",
        "ip": "192.168.86.85",
        "port": 55406
    },
    "suricata": {
        "eve": {
            "event_type": "ssh",
            "flow_id": "298824096901438",
            "in_iface": "en0",
            "ssh": {
                "client": {
                    "proto_version": "2.0",
                    "software_version": "OpenSSH_7.6"
                },
                "server": {
                    "proto_version": "2.0",
                    "software_version": "libssh_0.7.0"
                }
            }
        }
    },
    "tags": [
        "forwarded",
        "suricata-eve"
    ]
}

Exported fields

Field	Description	Type
@timestamp	Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.	date
cloud.account.id	The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.	keyword
cloud.availability_zone	Availability zone in which this host, resource, or service is located.	keyword
cloud.image.id	Image ID for the cloud instance.	keyword
cloud.instance.id	Instance ID of the host machine.	keyword
cloud.instance.name	Instance name of the host machine.	keyword
cloud.machine.type	Machine type of the host machine.	keyword
cloud.project.id	The cloud project identifier. Examples: Google Cloud Project id, Azure Project id.	keyword
cloud.provider	Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.	keyword
cloud.region	Region in which this host, resource, or service is located.	keyword
container.id	Unique container id.	keyword
container.image.name	Name of the image the container was built on.	keyword
container.labels	Image labels.	object
container.name	Container name.	keyword
data_stream.dataset	The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.namespace	A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: * Must not contain `-` * No longer than 100 characters	constant_keyword
data_stream.type	An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.	constant_keyword
destination.address	Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.	keyword
destination.as.number	Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.	long
destination.as.organization.name	Organization name.	keyword
destination.as.organization.name.text	Multi-field of `destination.as.organization.name`.	match_only_text
destination.bytes	Bytes sent from the destination to the source.	long
destination.domain	The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.	keyword
destination.geo.city_name	City name.	keyword
destination.geo.continent_name	Name of the continent.	keyword
destination.geo.country_iso_code	Country ISO code.	keyword
destination.geo.country_name	Country name.	keyword
destination.geo.location	Longitude and latitude.	geo_point
destination.geo.region_iso_code	Region ISO code.	keyword
destination.geo.region_name	Region name.	keyword
destination.ip	IP address of the destination (IPv4 or IPv6).	ip
destination.mac	MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
destination.packets	Packets sent from the destination to the source.	long
destination.port	Port of the destination.	long
dns.answers	An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.	group
dns.answers.class	The class of DNS data contained in this resource record.	keyword
dns.answers.data	The data describing the resource. The meaning of this data depends on the type and class of the resource record.	keyword
dns.answers.name	The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer’s `name` should be the one that corresponds with the answer’s `data`. It should not simply be the original `question.name` repeated.	keyword
dns.answers.ttl	The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.	long
dns.answers.type	The type of data contained in this resource record.	keyword
dns.header_flags	Array of 2 letter DNS header flags.	keyword
dns.id	The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.	keyword
dns.op_code	The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.	keyword
dns.question.class	The class of records being queried.	keyword
dns.question.name	The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.	keyword
dns.question.registered_domain	The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".	keyword
dns.question.subdomain	The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.	keyword
dns.question.top_level_domain	The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".	keyword
dns.question.type	The type of record being queried.	keyword
dns.resolved_ip	Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.	ip
dns.response_code	The DNS response code.	keyword
dns.type	The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.	keyword
ecs.version	ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.	keyword
event.created	`event.created` contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from `@timestamp` in that `@timestamp` typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, `@timestamp` should be used.	date
event.dataset	Event dataset	constant_keyword
event.duration	Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time.	long
event.end	`event.end` contains the date when the event ended or when the activity was last observed.	date
event.ingested	Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It’s also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.	date
event.module	Event module	constant_keyword
event.original	Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.	keyword
event.outcome	This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.	keyword
event.severity	The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.	long
event.start	`event.start` contains the date when the event started or when the activity was first observed.	date
file.name	Name of the file including the extension, without the directory.	keyword
file.path	Full path to the file, including the file name. It should include the drive letter, when appropriate.	keyword
file.path.text	Multi-field of `file.path`.	match_only_text
file.size	File size in bytes. Only relevant when `file.type` is "file".	long
host.architecture	Operating system architecture.	keyword
host.containerized	If the host is a container.	boolean
host.domain	Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider.	keyword
host.hostname	Hostname of the host. It normally contains what the `hostname` command returns on the host machine.	keyword
host.id	Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.	keyword
host.ip	Host ip addresses.	ip
host.mac	Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
host.name	Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.	keyword
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
host.os.family	OS family (such as redhat, debian, freebsd, windows).	keyword
host.os.kernel	Operating system kernel version as a raw string.	keyword
host.os.name	Operating system name, without the version.	keyword
host.os.name.text	Multi-field of `host.os.name`.	match_only_text
host.os.platform	Operating system platform (such centos, ubuntu, windows).	keyword
host.os.version	Operating system version as a raw string.	keyword
host.type	Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.	keyword
http.request.method	HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.	keyword
http.request.referrer	Referrer for this HTTP request.	keyword
http.response.body.bytes	Size in bytes of the response body.	long
http.response.status_code	HTTP response status code.	long
input.type	Filebeat input type used to collect the log.	keyword
log.file.path	Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field.	keyword
log.offset	The file offset the reported line starts at.	long
message	For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.	match_only_text
network.bytes	Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.	long
network.community_id	A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.	keyword
network.packets	Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum.	long
network.protocol	In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying.	keyword
network.transport	Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying.	keyword
observer.hostname	Hostname of the observer.	keyword
observer.ip	IP addresses of the observer.	ip
observer.mac	MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
observer.name	Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.	keyword
observer.product	The product name of the observer.	keyword
observer.type	The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.	keyword
observer.vendor	Vendor name of the observer.	keyword
related.hash	All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you’re unsure what the hash algorithm is (and therefore which key name to search).	keyword
related.hosts	All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.	keyword
related.ip	All of the IPs seen on your event.	ip
rule.category	A categorization value keyword used by the entity using the rule for detection of this event.	keyword
rule.id	A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.	keyword
rule.name	The name of the rule or signature generating the event.	keyword
source.address	Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.	keyword
source.as.number	Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.	long
source.as.organization.name	Organization name.	keyword
source.as.organization.name.text	Multi-field of `source.as.organization.name`.	match_only_text
source.bytes	Bytes sent from the source to the destination.	long
source.geo.city_name	City name.	keyword
source.geo.continent_name	Name of the continent.	keyword
source.geo.country_iso_code	Country ISO code.	keyword
source.geo.country_name	Country name.	keyword
source.geo.location	Longitude and latitude.	geo_point
source.geo.region_iso_code	Region ISO code.	keyword
source.geo.region_name	Region name.	keyword
source.ip	IP address of the source (IPv4 or IPv6).	ip
source.mac	MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.	keyword
source.packets	Packets sent from the source to the destination.	long
source.port	Port of the source.	long
suricata.eve.alert.affected_product		keyword
suricata.eve.alert.attack_target		keyword
suricata.eve.alert.capec_id		keyword
suricata.eve.alert.category		keyword
suricata.eve.alert.classtype		keyword
suricata.eve.alert.created_at		date
suricata.eve.alert.cve		keyword
suricata.eve.alert.cvss_v2_base		keyword
suricata.eve.alert.cvss_v2_temporal		keyword
suricata.eve.alert.cvss_v3_base		keyword
suricata.eve.alert.cvss_v3_temporal		keyword
suricata.eve.alert.cwe_id		keyword
suricata.eve.alert.deployment		keyword
suricata.eve.alert.former_category		keyword
suricata.eve.alert.gid		long
suricata.eve.alert.hostile		keyword
suricata.eve.alert.infected		keyword
suricata.eve.alert.malware		keyword
suricata.eve.alert.metadata		flattened
suricata.eve.alert.mitre_tool_id		keyword
suricata.eve.alert.performance_impact		keyword
suricata.eve.alert.priority		keyword
suricata.eve.alert.protocols		keyword
suricata.eve.alert.rev		long
suricata.eve.alert.rule_source		keyword
suricata.eve.alert.sid		keyword
suricata.eve.alert.signature		keyword
suricata.eve.alert.signature_id		long
suricata.eve.alert.signature_severity		keyword
suricata.eve.alert.tag		keyword
suricata.eve.alert.updated_at		date
suricata.eve.app_proto_expected		keyword
suricata.eve.app_proto_orig		keyword
suricata.eve.app_proto_tc		keyword
suricata.eve.app_proto_ts		keyword
suricata.eve.dns.id		long
suricata.eve.dns.rcode		keyword
suricata.eve.dns.rdata		keyword
suricata.eve.dns.rrname		keyword
suricata.eve.dns.rrtype		keyword
suricata.eve.dns.ttl		long
suricata.eve.dns.tx_id		long
suricata.eve.dns.type		keyword
suricata.eve.email.status		keyword
suricata.eve.event_type		keyword
suricata.eve.fileinfo.gaps		boolean
suricata.eve.fileinfo.md5		keyword
suricata.eve.fileinfo.sha1		keyword
suricata.eve.fileinfo.sha256		keyword
suricata.eve.fileinfo.state		keyword
suricata.eve.fileinfo.stored		boolean
suricata.eve.fileinfo.tx_id		long
suricata.eve.flow.age		long
suricata.eve.flow.alerted		boolean
suricata.eve.flow.end		date
suricata.eve.flow.reason		keyword
suricata.eve.flow.state		keyword
suricata.eve.flow_id		keyword
suricata.eve.http.http_content_type		keyword
suricata.eve.http.http_port		long
suricata.eve.http.protocol		keyword
suricata.eve.http.redirect		keyword
suricata.eve.icmp_code		long
suricata.eve.icmp_type		long
suricata.eve.in_iface		keyword
suricata.eve.pcap_cnt		long
suricata.eve.smtp.helo		keyword
suricata.eve.smtp.mail_from		keyword
suricata.eve.smtp.rcpt_to		keyword
suricata.eve.ssh.client.proto_version		keyword
suricata.eve.ssh.client.software_version		keyword
suricata.eve.ssh.server.proto_version		keyword
suricata.eve.ssh.server.software_version		keyword
suricata.eve.stats.app_layer.flow.dcerpc_tcp		long
suricata.eve.stats.app_layer.flow.dcerpc_udp		long
suricata.eve.stats.app_layer.flow.dns_tcp		long
suricata.eve.stats.app_layer.flow.dns_udp		long
suricata.eve.stats.app_layer.flow.failed_tcp		long
suricata.eve.stats.app_layer.flow.failed_udp		long
suricata.eve.stats.app_layer.flow.ftp		long
suricata.eve.stats.app_layer.flow.http		long
suricata.eve.stats.app_layer.flow.imap		long
suricata.eve.stats.app_layer.flow.msn		long
suricata.eve.stats.app_layer.flow.smb		long
suricata.eve.stats.app_layer.flow.smtp		long
suricata.eve.stats.app_layer.flow.ssh		long
suricata.eve.stats.app_layer.flow.tls		long
suricata.eve.stats.app_layer.tx.dcerpc_tcp		long
suricata.eve.stats.app_layer.tx.dcerpc_udp		long
suricata.eve.stats.app_layer.tx.dns_tcp		long
suricata.eve.stats.app_layer.tx.dns_udp		long
suricata.eve.stats.app_layer.tx.ftp		long
suricata.eve.stats.app_layer.tx.http		long
suricata.eve.stats.app_layer.tx.smb		long
suricata.eve.stats.app_layer.tx.smtp		long
suricata.eve.stats.app_layer.tx.ssh		long
suricata.eve.stats.app_layer.tx.tls		long
suricata.eve.stats.capture.kernel_drops		long
suricata.eve.stats.capture.kernel_ifdrops		long
suricata.eve.stats.capture.kernel_packets		long
suricata.eve.stats.decoder.avg_pkt_size		long
suricata.eve.stats.decoder.bytes		long
suricata.eve.stats.decoder.dce.pkt_too_small		long
suricata.eve.stats.decoder.erspan		long
suricata.eve.stats.decoder.ethernet		long
suricata.eve.stats.decoder.gre		long
suricata.eve.stats.decoder.icmpv4		long
suricata.eve.stats.decoder.icmpv6		long
suricata.eve.stats.decoder.ieee8021ah		long
suricata.eve.stats.decoder.invalid		long
suricata.eve.stats.decoder.ipraw.invalid_ip_version		long
suricata.eve.stats.decoder.ipv4		long
suricata.eve.stats.decoder.ipv4_in_ipv6		long
suricata.eve.stats.decoder.ipv6		long
suricata.eve.stats.decoder.ipv6_in_ipv6		long
suricata.eve.stats.decoder.ltnull.pkt_too_small		long
suricata.eve.stats.decoder.ltnull.unsupported_type		long
suricata.eve.stats.decoder.max_pkt_size		long
suricata.eve.stats.decoder.mpls		long
suricata.eve.stats.decoder.null		long
suricata.eve.stats.decoder.pkts		long
suricata.eve.stats.decoder.ppp		long
suricata.eve.stats.decoder.pppoe		long
suricata.eve.stats.decoder.raw		long
suricata.eve.stats.decoder.sctp		long
suricata.eve.stats.decoder.sll		long
suricata.eve.stats.decoder.tcp		long
suricata.eve.stats.decoder.teredo		long
suricata.eve.stats.decoder.udp		long
suricata.eve.stats.decoder.vlan		long
suricata.eve.stats.decoder.vlan_qinq		long
suricata.eve.stats.defrag.ipv4.fragments		long
suricata.eve.stats.defrag.ipv4.reassembled		long
suricata.eve.stats.defrag.ipv4.timeouts		long
suricata.eve.stats.defrag.ipv6.fragments		long
suricata.eve.stats.defrag.ipv6.reassembled		long
suricata.eve.stats.defrag.ipv6.timeouts		long
suricata.eve.stats.defrag.max_frag_hits		long
suricata.eve.stats.detect.alert		long
suricata.eve.stats.dns.memcap_global		long
suricata.eve.stats.dns.memcap_state		long
suricata.eve.stats.dns.memuse		long
suricata.eve.stats.file_store.open_files		long
suricata.eve.stats.flow.emerg_mode_entered		long
suricata.eve.stats.flow.emerg_mode_over		long
suricata.eve.stats.flow.icmpv4		long
suricata.eve.stats.flow.icmpv6		long
suricata.eve.stats.flow.memcap		long
suricata.eve.stats.flow.memuse		long
suricata.eve.stats.flow.spare		long
suricata.eve.stats.flow.tcp		long
suricata.eve.stats.flow.tcp_reuse		long
suricata.eve.stats.flow.udp		long
suricata.eve.stats.flow_mgr.bypassed_pruned		long
suricata.eve.stats.flow_mgr.closed_pruned		long
suricata.eve.stats.flow_mgr.est_pruned		long
suricata.eve.stats.flow_mgr.flows_checked		long
suricata.eve.stats.flow_mgr.flows_notimeout		long
suricata.eve.stats.flow_mgr.flows_removed		long
suricata.eve.stats.flow_mgr.flows_timeout		long
suricata.eve.stats.flow_mgr.flows_timeout_inuse		long
suricata.eve.stats.flow_mgr.new_pruned		long
suricata.eve.stats.flow_mgr.rows_busy		long
suricata.eve.stats.flow_mgr.rows_checked		long
suricata.eve.stats.flow_mgr.rows_empty		long
suricata.eve.stats.flow_mgr.rows_maxlen		long
suricata.eve.stats.flow_mgr.rows_skipped		long
suricata.eve.stats.http.memcap		long
suricata.eve.stats.http.memuse		long
suricata.eve.stats.tcp.insert_data_normal_fail		long
suricata.eve.stats.tcp.insert_data_overlap_fail		long
suricata.eve.stats.tcp.insert_list_fail		long
suricata.eve.stats.tcp.invalid_checksum		long
suricata.eve.stats.tcp.memuse		long
suricata.eve.stats.tcp.no_flow		long
suricata.eve.stats.tcp.overlap		long
suricata.eve.stats.tcp.overlap_diff_data		long
suricata.eve.stats.tcp.pseudo		long
suricata.eve.stats.tcp.pseudo_failed		long
suricata.eve.stats.tcp.reassembly_gap		long
suricata.eve.stats.tcp.reassembly_memuse		long
suricata.eve.stats.tcp.rst		long
suricata.eve.stats.tcp.segment_memcap_drop		long
suricata.eve.stats.tcp.sessions		long
suricata.eve.stats.tcp.ssn_memcap_drop		long
suricata.eve.stats.tcp.stream_depth_reached		long
suricata.eve.stats.tcp.syn		long
suricata.eve.stats.tcp.synack		long
suricata.eve.stats.uptime		long
suricata.eve.tcp.ack		boolean
suricata.eve.tcp.fin		boolean
suricata.eve.tcp.psh		boolean
suricata.eve.tcp.rst		boolean
suricata.eve.tcp.state		keyword
suricata.eve.tcp.syn		boolean
suricata.eve.tcp.tcp_flags		keyword
suricata.eve.tcp.tcp_flags_tc		keyword
suricata.eve.tcp.tcp_flags_ts		keyword
suricata.eve.tls.fingerprint		keyword
suricata.eve.tls.issuerdn		keyword
suricata.eve.tls.ja3.hash		keyword
suricata.eve.tls.ja3.string		keyword
suricata.eve.tls.ja3s.hash		keyword
suricata.eve.tls.ja3s.string		keyword
suricata.eve.tls.notafter		date
suricata.eve.tls.notbefore		date
suricata.eve.tls.serial		keyword
suricata.eve.tls.session_resumed		boolean
suricata.eve.tls.sni		keyword
suricata.eve.tls.subject		keyword
suricata.eve.tls.version		keyword
suricata.eve.tx_id		long
tags	List of keywords used to tag each event.	keyword
threat.framework	Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.	keyword
threat.tactic.id	The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )	keyword
threat.tactic.name	Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)	keyword
threat.technique.id	The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)	keyword
threat.technique.name	The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)	keyword
threat.technique.name.text	Multi-field of `threat.technique.name`.	match_only_text
tls.client.ja3	A hash that identifies clients based on how they perform an SSL/TLS handshake.	keyword
tls.client.server_name	Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`.	keyword
tls.resumed	Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.	boolean
tls.server.hash.sha1	Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.	keyword
tls.server.issuer	Subject of the issuer of the x.509 certificate presented by the server.	keyword
tls.server.ja3s	A hash that identifies servers based on how they perform an SSL/TLS handshake.	keyword
tls.server.not_after	Timestamp indicating when server certificate is no longer considered valid.	date
tls.server.not_before	Timestamp indicating when server certificate is first considered valid.	date
tls.server.subject	Subject of the x.509 certificate presented by the server.	keyword
tls.server.x509.issuer.common_name	List of common name (CN) of issuing certificate authority.	keyword
tls.server.x509.issuer.country	List of country © codes	keyword
tls.server.x509.issuer.locality	List of locality names (L)	keyword
tls.server.x509.issuer.organization	List of organizations (O) of issuing certificate authority.	keyword
tls.server.x509.issuer.organizational_unit	List of organizational units (OU) of issuing certificate authority.	keyword
tls.server.x509.issuer.state_or_province	List of state or province names (ST, S, or P)	keyword
tls.server.x509.not_after	Time at which the certificate is no longer considered valid.	date
tls.server.x509.not_before	Time at which the certificate is first considered valid.	date
tls.server.x509.serial_number	Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.	keyword
tls.server.x509.subject.common_name	List of common names (CN) of subject.	keyword
tls.server.x509.subject.country	List of country © code	keyword
tls.server.x509.subject.locality	List of locality names (L)	keyword
tls.server.x509.subject.organization	List of organizations (O) of subject.	keyword
tls.server.x509.subject.organizational_unit	List of organizational units (OU) of subject.	keyword
tls.server.x509.subject.state_or_province	List of state or province names (ST, S, or P)	keyword
tls.version	Numeric part of the version parsed from the original string.	keyword
tls.version_protocol	Normalized lowercase protocol name parsed from original string.	keyword
url.domain	Domain of the url, such as "http://www.elastic.co[www.elastic.co]". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.	keyword
url.original	Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.	wildcard
url.original.text	Multi-field of `url.original`.	match_only_text
url.path	Path of the request, such as "/search".	wildcard
url.query	The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.	keyword
user_agent.device.name	Name of the device.	keyword
user_agent.name	Name of the user agent.	keyword
user_agent.original	Unparsed user_agent string.	keyword
user_agent.original.text	Multi-field of `user_agent.original`.	match_only_text
user_agent.os.full	Operating system name, including the version or code name.	keyword
user_agent.os.full.text	Multi-field of `user_agent.os.full`.	match_only_text
user_agent.os.name	Operating system name, without the version.	keyword
user_agent.os.name.text	Multi-field of `user_agent.os.name`.	match_only_text
user_agent.os.version	Operating system version as a raw string.	keyword
user_agent.version	Version of the user agent.	keyword

Changelog

edit

Changelog

Version	Details	Kibana version(s)
2.21.4	Bug fix (View pull request) Fix parsing of extra commas in TLS subject and issuer fields.	8.7.1 or higher
2.21.3	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.7.1 or higher
2.21.2	Bug fix (View pull request) Handle unset TLS data fields	8.7.1 or higher
2.21.1	Bug fix (View pull request) Fix TLS version parsing for SSLv2 kind of value format.	8.7.1 or higher
2.21.0	Enhancement (View pull request) Update package-spec to 3.0.3.	8.7.1 or higher
2.20.2	Enhancement (View pull request) Changed owners	8.7.1 or higher
2.20.1	Bug fix (View pull request) Fix exclude_files pattern.	8.7.1 or higher
2.20.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.7.1 or higher
2.19.0	Enhancement (View pull request) Improve event.original check to avoid errors if set.	8.7.1 or higher
2.18.1	Bug fix (View pull request) Fix mapping of group fields	8.7.1 or higher
2.18.0	Enhancement (View pull request) Populate `observer.*` fields if "forwarded" in tags	8.7.1 or higher
2.17.1	Enhancement (View pull request) Refer to the ECS definition for all fields that exist in ECS.	8.7.1 or higher
2.17.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.7.1 or higher
2.16.0	Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.	8.7.1 or higher
2.15.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.7.1 or higher
2.14.0	Enhancement (View pull request) Use ECS imported rather than local definitions.	8.7.1 or higher
2.13.0	Enhancement (View pull request) Use dynamic field definitions.	8.7.1 or higher
2.12.0	Enhancement (View pull request) Update package-spec to 2.9.0.	8.7.1 or higher
2.11.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.7.1 or higher
2.10.0	Enhancement (View pull request) Convert dashboards to Lens	8.7.1 or higher
2.9.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	8.1.0 or higher
2.8.0	Enhancement (View pull request) Update package to ECS 8.8.0.	8.1.0 or higher
2.7.0	Enhancement (View pull request) Update package to ECS 8.7.0.	8.1.0 or higher
2.6.1	Enhancement (View pull request) Added categories and/or subcategories.	8.1.0 or higher
2.6.0	Enhancement (View pull request) Update package to ECS 8.6.0.	8.1.0 or higher
2.5.3	Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load	8.1.0 or higher
2.5.2	Bug fix (View pull request) Remove duplicate fields.	8.0.0 or higher
2.5.1	Bug fix (View pull request) Defensive copy of parameter lists	8.0.0 or higher
2.5.0	Enhancement (View pull request) Update package to ECS 8.5.0.	8.0.0 or higher
2.4.2	Enhancement (View pull request) Use ECS geo.location definition.	8.0.0 or higher
2.4.1	Enhancement (View pull request) Remove unused visualizations	8.0.0 or higher
2.4.0	Enhancement (View pull request) Update package to ECS 8.4.0	8.0.0 or higher
2.3.1	Enhancement (View pull request) Update package name and description to align with standard wording	8.0.0 or higher
2.3.0	Enhancement (View pull request) Add Server Name Indication to related.hosts for TLS events. Bug fix (View pull request) Render host.mac hardware addresses according to ECS.	8.0.0 or higher
2.2.0	Enhancement (View pull request) Update package to ECS 8.3.0.	8.0.0 or higher
2.1.0	Enhancement (View pull request) Add JA3/JA3S to `related.hash`	8.0.0 or higher
2.0.0	Enhancement (View pull request) Migrate map visualisation from tile_map to map object	8.0.0 or higher
1.7.0	Enhancement (View pull request) Update to ECS 8.2	7.14.0 or higher 8.0.0 or higher
1.6.1	Enhancement (View pull request) Add documentation for multi-fields	7.14.0 or higher 8.0.0 or higher
1.6.0	Enhancement (View pull request) Add network.protocol support for krb5, smtp, snmp, and ikev2.	7.14.0 or higher 8.0.0 or higher
1.5.0	Bug fix (View pull request) Set destination.ip in events. Enhancement (View pull request) Format MAC addresses per ECS and RFC 7042.	7.14.0 or higher 8.0.0 or higher
1.4.0	Enhancement (View pull request) Update to ECS 8.0	—
1.3.2	Bug fix (View pull request) Regenerate test files using the new GeoIP database	7.14.0 or higher 8.0.0 or higher
1.3.1	Bug fix (View pull request) Change test public IPs to the supported subset	—
1.3.0	Enhancement (View pull request) Add 8.0.0 version constraint	7.14.0 or higher 8.0.0 or higher
1.2.3	Enhancement (View pull request) Uniform with guidelines	7.14.0 or higher
1.2.2	Enhancement (View pull request) Update Title and Description.	—
1.2.1	Bug fix (View pull request) Fix logic that checks for the forwarded tag	—
1.2.0	Enhancement (View pull request) Update to ECS 1.12.0	7.14.0 or higher
1.1.3	Enhancement (View pull request) Convert to generated ECS fields	—
1.1.2	Enhancement (View pull request) update to ECS 1.11.0	—
1.1.1	Enhancement (View pull request) Escape special characters in docs	—
1.1.0	Enhancement (View pull request) Update integration description	—
1.0.1	Bug fix (View pull request) Fixes improper date fields and metadata field issues.	—
1.0.0	Enhancement (View pull request) make GA Enhancement (View pull request) Set "event.module" and "event.dataset"	7.14.0 or higher
0.6.3	Enhancement (View pull request) Use `wildcard` field type.	—
0.6.2	Enhancement (View pull request) Modify event.original and update ECS version to 1.10.0	—
0.6.1	Enhancement (View pull request) Make event.original optional	—
0.6.0	Enhancement (View pull request) Move edge processing to ingest pipelines	—
0.5.2	Enhancement (View pull request) update to ECS 1.9.0	—
0.5.1	Bug fix (View pull request) Change kibana.version constraint to be more conservative.	—
0.0.1	Enhancement (View pull request) initial release	—

« Sublime Security Stormshield SNS »