9.3. Comparison of the counters between V02 and V103
9.3.1. Beacon detect engine
This engine appeared in version 103 so this section is not applicable
9.3.2. Malcore engine
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
analyzed_clean |
malcore.analyzed_clean |
modified |
analyzed_error |
malcore.analyzed_error |
modified |
analyzed_infected |
malcore.analyzed_infected |
modified |
analyzed_other |
malcore.analyzed_other |
modified |
analyzed_suspicious |
malcore.analyzed_suspicious |
modified |
analyzers_up |
malcore.analyzers_up |
modified |
app_proto |
network.protocol |
modified |
code |
malcore.code |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
detail_scan_time |
malcore.detail_scan_time |
modified |
detail_threat_found |
malcore.detail_threat_found |
modified |
detail_wait_time |
malcore.detail_wait_time |
modified |
engine_id.0.id |
malcore.engine_id.0.id |
modified |
engine_id.0.scan_result |
malcore.engine_id.0.scan_result |
modified |
engine_id.0.threat_details |
malcore.engine_id.0.threat_details |
modified |
engine_id.1.id |
malcore.engine_id.1.id |
modified |
engine_id.1.scan_result |
malcore.engine_id.1.scan_result |
modified |
engine_id.1.threat_details |
malcore.engine_id.1.threat_details |
modified |
engine_id.10.id |
malcore.engine_id.10.id |
modified |
engine_id.10.scan_result |
malcore.engine_id.10.scan_result |
modified |
engine_id.10.threat_details |
malcore.engine_id.10.threat_details |
modified |
engine_id.11.id |
malcore.engine_id.11.id |
modified |
engine_id.11.scan_result |
malcore.engine_id.11.scan_result |
modified |
engine_id.11.threat_details |
malcore.engine_id.11.threat_details |
modified |
engine_id.12.id |
malcore.engine_id.12.id |
modified |
engine_id.12.scan_result |
malcore.engine_id.12.scan_result |
modified |
engine_id.12.threat_details |
malcore.engine_id.12.threat_details |
modified |
engine_id.13.id |
malcore.engine_id.13.id |
modified |
engine_id.13.scan_result |
malcore.engine_id.13.scan_result |
modified |
engine_id.13.threat_details |
malcore.engine_id.13.threat_details |
modified |
engine_id.14.id |
malcore.engine_id.14.id |
modified |
engine_id.14.scan_result |
malcore.engine_id.14.scan_result |
modified |
engine_id.14.threat_details |
malcore.engine_id.14.threat_details |
modified |
engine_id.15.id |
malcore.engine_id.15.id |
modified |
engine_id.15.scan_result |
malcore.engine_id.15.scan_result |
modified |
engine_id.15.threat_details |
malcore.engine_id.15.threat_details |
modified |
engine_id.2.id |
malcore.engine_id.2.id |
modified |
engine_id.2.scan_result |
malcore.engine_id.2.scan_result |
modified |
engine_id.2.threat_details |
malcore.engine_id.2.threat_details |
modified |
engine_id.3.id |
malcore.engine_id.3.id |
modified |
engine_id.3.scan_result |
malcore.engine_id.3.scan_result |
modified |
engine_id.3.threat_details |
malcore.engine_id.3.threat_details |
modified |
engine_id.4.id |
malcore.engine_id.4.id |
modified |
engine_id.4.scan_result |
malcore.engine_id.4.scan_result |
modified |
engine_id.4.threat_details |
malcore.engine_id.4.threat_details |
modified |
engine_id.5.id |
malcore.engine_id.5.id |
modified |
engine_id.5.scan_result |
malcore.engine_id.5.scan_result |
modified |
engine_id.5.threat_details |
malcore.engine_id.5.threat_details |
modified |
engine_id.6.id |
malcore.engine_id.6.id |
modified |
engine_id.6.scan_result |
malcore.engine_id.6.scan_result |
modified |
engine_id.6.threat_details |
malcore.engine_id.6.threat_details |
modified |
engine_id.7.id |
malcore.engine_id.7.id |
modified |
engine_id.7.scan_result |
malcore.engine_id.7.scan_result |
modified |
engine_id.7.threat_details |
malcore.engine_id.7.threat_details |
modified |
engine_id.8.id |
malcore.engine_id.8.id |
modified |
engine_id.8.scan_result |
malcore.engine_id.8.scan_result |
modified |
engine_id.8.threat_details |
malcore.engine_id.8.threat_details |
modified |
engine_id.9.id |
malcore.engine_id.9.id |
modified |
engine_id.9.scan_result |
malcore.engine_id.9.scan_result |
modified |
engine_id.9.threat_details |
malcore.engine_id.9.threat_details |
modified |
engines_last_update_date |
malcore.last_update_date |
modified |
event_type |
hardly_modified |
|
file_type |
malcore.file_type |
modified |
file_type_description |
malcore.file_type_description |
modified |
fileinfo.file_id |
file.file_id |
modified |
fileinfo.filename |
file.name |
modified |
fileinfo.gaps |
file.gaps |
modified |
fileinfo.magic |
file.magic |
modified |
fileinfo.md5 |
file.hash.md5 |
modified |
fileinfo.sha1 |
file.sha1 |
modified |
fileinfo.sha256 |
file.hash.sha256 |
modified |
fileinfo.sid[0] |
file.sid[0] |
modified |
fileinfo.size |
file.size |
modified |
fileinfo.state |
file.state |
modified |
fileinfo.stored |
file.stored |
modified |
fileinfo.tx_id |
file.tx_id |
modified |
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
http.accept |
http.accept |
same |
http.accept_encoding |
http.accept_encoding |
same |
http.content_type |
http.response.mime_type |
modified |
http.date |
http.date |
same |
http.hostname |
http.hostname |
same |
http.http_content_type |
http.request.mime_type |
modified |
http.http_method |
http.request.method |
|
http.http_user_agent |
user_agent.original |
modified |
http.server |
http.server |
same |
http.status |
http.response.status |
modified |
http.url |
url.path |
modified |
in_iface |
observer.gcap.ingress.interface.name |
modified |
magic_details |
malcore.magic_details |
modified |
processing_time |
malcore.processing_time |
modified |
proto |
network.transport |
modified |
reporting_token |
malcore.reporting_token |
modified |
severity |
event.severity |
modified |
SHA256 |
removed |
|
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
state |
malcore.state |
modified |
timestamp |
hardly_modified |
|
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
total_found |
malcore.total_found |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
url.domain |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.3. DGA engine
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
type |
removed |
|
event_type |
hardly_modified |
|
uuid |
observer.uuid |
modified |
matched_event |
event.id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
dest_port |
destination.port |
modified |
src_port |
hardly_modified |
|
src_ip |
source.ip |
modified |
dest_ip |
destination.ip |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
severity |
event.severity |
modified |
probability |
dga.dga_ratio |
modified |
domain_name |
hardly_modified |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.end |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.start |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
network.transport |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
|
dga.nx_domain_count |
added |
|
dga.top_DGA[0] |
added |
|
dga.top_DGA[1] |
added |
|
dga.top_DGA[2] |
added |
|
dga.top_DGA[3] |
added |
|
dga.top_DGA[4] |
added |
|
dga.top_DGA[5] |
added |
|
dga.top_DGA[6] |
added |
|
dga.top_DGA[7] |
added |
|
dga.top_DGA[8] |
added |
|
dga.top_DGA[9] |
added |
|
dga.dga_count |
added |
|
dga.malware_behavior_confidence |
added |
9.3.4. Malicious powershell engine
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
event_type |
hardly_modified |
|
file_id |
malicious_powershell.sample_id |
modified |
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
MD5 |
malicious_powershell.id |
modified |
scores.analysis |
malicious_powershell.score |
modified |
scores.analysis_detailed.AddContent |
malicious_powershell.score_details.AddContent |
modified |
scores.analysis_detailed.Base64 |
malicious_powershell.score_details.Base64 |
modified |
scores.analysis_detailed.CharInt |
malicious_powershell.score_details.CharInt |
modified |
scores.analysis_detailed.FmtStr |
malicious_powershell.score_details.FmtStr |
modified |
scores.analysis_detailed.GetContent |
malicious_powershell.score_details.GetContent |
modified |
scores.analysis_detailed.InvokeExpression |
malicious_powershell.score_details.InvokeExpression |
modified |
scores.analysis_detailed.InvokeRestMethod |
malicious_powershell.score_details.InvokeRestMethod |
modified |
scores.analysis_detailed.InvokeWebRequest |
malicious_powershell.score_details.InvokeWebRequest |
modified |
scores.analysis_detailed.SetContent |
malicious_powershell.score_details.SetContent |
modified |
scores.analysis_detailed.StartBitsTransfer |
malicious_powershell.score_details.StartBitsTransfer |
modified |
scores.analysis_detailed.StrCat |
malicious_powershell.score_details.StrCat |
modified |
scores.analysis_detailed.StreamReader |
malicious_powershell.score_details.StreamReader |
modified |
scores.analysis_detailed.StreamWriter |
malicious_powershell.score_details.StreamWriter |
modified |
scores.analysis_detailed.StrJoin |
malicious_powershell.score_details.StrJoin |
modified |
scores.analysis_detailed.StrReplace |
malicious_powershell.score_details.StrReplace |
modified |
scores.analysis_detailed.SystemIOFile |
malicious_powershell.score_details.SystemIOFile |
modified |
scores.analysis_detailed.WebClientInvokation |
malicious_powershell.score_details.WebClientInvokation |
modified |
scores.proba_obfuscated |
malicious_powershell.proba_obfuscated |
modified |
severity |
event.severity |
modified |
SHA256 |
removed |
|
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
state |
removed |
|
sub_type |
removed |
|
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
network.transport |
added |
|
observer.gcap.version |
added |
|
observer.gcap.ingress.interface.name |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.5. Shellcode engine
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
calls.0.args |
shellcode.analysis[0].args |
modified |
calls.0.call |
shellcode.analysis[0].call |
modified |
calls.0.ret |
shellcode.analysis[0].ret |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
encodings[0].count |
shellcode.encodings[0].count |
modified |
encodings[0].name |
shellcode.encodings[0].count |
modified |
event_type |
hardly_modified |
|
file_id |
shellcode.sample_id |
modified |
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
MD5 |
shellcode.id |
modified |
severity |
event.severity |
modified |
SHA256 |
removed |
|
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
state |
removed |
|
sub_type |
shellcode.sub_type |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
network.transport |
added |
|
observer.gcap.version |
added |
|
observer.gcap.ingress.interface.name |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.6. Ransomware detect engine
This engine appeared in version 103 so this section is not applicable
9.3.7. Sigflow alert
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
type |
removed |
|
event_type |
hardly_modified |
|
proto |
network.transport |
modified |
uuid |
observer.uuid |
modified |
src_port |
source.port |
modified |
dest_port |
destination.port |
modified |
src_ip |
source.ip |
modified |
dest_ip |
destination.ip |
modified |
ether.src_mac |
source.mac |
modified |
ether.dest_mac |
destination.mac |
modified |
community_id |
network.community_id |
modified |
in_iface |
observer.gcap.ingress.interface.name |
modified |
gcap |
observer.gcap.hostname |
modified |
host |
removed |
|
gcenter |
observer.hostname |
modified |
flow_id |
network.flow_id |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
flow.pkts_toclient |
flow.pkts_toclient |
same |
flow.bytes_toclient |
flow.bytes_toclient |
same |
flow.pkts_toserver |
flow.pkts_toserver |
same |
flow.bytes_toserver |
flow.bytes_toserver |
same |
flow.start |
flow.start |
same |
http.http_user_agent |
user_agent.original |
modified |
http.protocol |
http.version |
modified |
http.length |
http.response.bytes |
modified |
http.http_content_type |
http.response.mime_type |
modified |
http.http_method |
http.request.method |
modified |
http.hostname |
http.hostname |
same |
http.url |
url.path |
modified |
http.status |
http.response.status |
modified |
url.domain |
added |
|
payload |
sigflow.payload |
modified |
payload_printable |
sigflow.payload_printable |
modified |
alert.signature |
sigflow.signature |
modified |
alert.rev |
sigflow.rev |
modified |
alert.gid |
sigflow.gid |
modified |
alert.severity |
removed |
|
alert.action |
sigflow.action |
modified |
alert.category |
sigflow.category |
modified |
alert.signature_id |
sigflow.signature_id |
modified |
alert.metadata.created_at[0] |
sigflow.metadata.created_at[0] |
modified |
alert.metadata.updated_at[0] |
sigflow.metadata.updated_at[0] |
modified |
stream |
sigflow.stream |
modified |
severity |
event.severity |
modified |
tx_id |
network.tx_id |
modified |
packet_info.linktype |
sigflow.packet_info.linktype |
modified |
packet |
sigflow.packet |
modified |
app_proto |
network.protocol |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.8. Sigflow dcerpc
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
dcerpc.call_id |
dcerpc.call_id |
same |
dcerpc.interfaces[0].ack_result |
dcerpc.interfaces[0].ack_result |
same |
dcerpc.interfaces[0].uuid |
dcerpc.interfaces[0].uuid |
same |
dcerpc.interfaces[0].version |
dcerpc.interfaces[0].version |
same |
dcerpc.interfaces[1].ack_result |
dcerpc.interfaces[1].ack_result |
same |
dcerpc.interfaces[1].uuid |
dcerpc.interfaces[1].uuid |
same |
dcerpc.interfaces[1].version |
dcerpc.interfaces[1].version |
same |
dcerpc.request |
dcerpc.request |
same |
dcerpc.response |
dcerpc.response |
same |
dcerpc.rpc_version |
dcerpc.rpc_version |
same |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.9. Sigflow DGA
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
domain_name |
hardly_modified |
|
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
matched_event |
event.id |
modified |
probability |
dga.dga_ratio |
modified |
severity |
event.severity |
modified |
src_ip |
source.ip |
modified |
src_port |
hardly_modified |
|
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.end |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.start |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
network.transport |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
|
dga.nx_domain_count |
added |
|
dga.top_DGA[0] |
added |
|
dga.top_DGA[1] |
added |
|
dga.top_DGA[2] |
added |
|
dga.top_DGA[3] |
added |
|
dga.top_DGA[4] |
added |
|
dga.top_DGA[5] |
added |
|
dga.top_DGA[6] |
added |
|
dga.top_DGA[7] |
added |
|
dga.top_DGA[8] |
added |
|
dga.top_DGA[9] |
added |
|
dga.dga_count |
added |
|
dga.malware_behavior_confidence |
added |
9.3.10. Sigflow dhcp
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
dhcp.assigned_ip |
dhcp.assigned_ip |
same |
dhcp.client_ip |
dhcp.client_ip |
same |
dhcp.client_mac |
dhcp.client_mac |
same |
dhcp.dhcp_type |
dhcp.dhcp_type |
same |
dhcp.hostname |
dhcp.hostname |
same |
dhcp.id |
dhcp.id |
same |
dhcp.params[0] |
dhcp.params[0] |
same |
dhcp.params[1] |
dhcp.params[1] |
same |
dhcp.params[2] |
dhcp.params[2] |
same |
dhcp.params[3] |
dhcp.params[3] |
same |
dhcp.params[4] |
dhcp.params[4] |
same |
dhcp.type |
dhcp.type |
same |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.11. Sigflow dnp3
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
dnp3.application.complete |
dnp3.application.complete |
same |
dnp3.application.control.con |
dnp3.application.control.con |
same |
dnp3.application.control.fin |
dnp3.application.control.fin |
same |
dnp3.application.control.fir |
dnp3.application.control.fir |
same |
dnp3.application.control.sequence |
dnp3.application.control.sequence |
same |
dnp3.application.control.uns |
dnp3.application.control.uns |
same |
dnp3.application.function_code |
dnp3.application.function_code |
same |
dnp3.control.dir |
dnp3.control.dir |
same |
dnp3.control.fcb |
dnp3.control.fcb |
same |
dnp3.control.fcv |
dnp3.control.fcv |
same |
dnp3.control.function_code |
dnp3.control.function_code |
same |
dnp3.control.pri |
dnp3.control.pri |
same |
dnp3.dst |
dnp3.dst |
same |
dnp3.iin.indicators[0] |
dnp3.iin.indicators[0] |
same |
dnp3.src |
dnp3.src |
same |
dnp3.type |
dnp3.type |
same |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.12. Sigflow dns
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
dns.answers[0].rdata |
dns.answers.data[0].rdata |
modified |
dns.answers[0].rrname |
dns.answers.data[0].rrname |
modified |
dns.answers[0].rrtype |
dns.answers.data[0].rrtype |
modified |
dns.answers[0].ttl |
dns.answers.data[0].ttl |
modified |
dns.flags |
dns.flags |
same |
dns.grouped.A[0] |
dns.grouped.A[0] |
same |
dns.id |
dns.id |
same |
dns.qr |
dns.qr |
same |
dns.ra |
dns.ra |
same |
dns.rcode |
dns.response_code |
modified |
dns.rd |
dns.rd |
same |
dns.type |
dns.type |
same |
dns.version |
dns.version |
same |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.13. Sigflow file
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
app_proto |
network.protocol |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
event_type |
hardly_modified |
|
fileinfo.file_id |
file.file_id |
modified |
fileinfo.filename |
file.name |
modified |
fileinfo.gaps |
file.gaps |
modified |
fileinfo.magic |
file.magic |
modified |
fileinfo.md5 |
file.hash.md5 |
modified |
fileinfo.sha1 |
file.sha1 |
modified |
fileinfo.sha256 |
file.hash.sha256 |
modified |
fileinfo.sid[0] |
file.sid[0] |
modified |
fileinfo.size |
file.size |
modified |
fileinfo.state |
file.state |
modified |
fileinfo.stored |
file.stored |
modified |
fileinfo.tx_id |
file.tx_id |
modified |
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
http.hostname |
http.hostname |
same |
http.http_content_type |
http.response.mime_type |
modified |
http.http_method |
http.request.method |
modified |
http.http_user_agent |
user_agent.original |
modified |
http.length |
http.response.bytes |
modified |
http.protocol |
http.version |
modified |
http.status |
http.response.status |
modified |
http.url |
url.path |
modified |
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
url.domain |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.category[1] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.14. Sigflow ftp
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
ftp.completion_code[0] |
ftp.completion_code[0] |
same |
ftp.reply_received |
ftp.reply_received |
same |
ftp.reply_truncated |
ftp.reply_truncated |
same |
ftp.reply[0] |
ftp.reply[0] |
same |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tx_id |
network.tx_id |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.15. Sigflow ftp data
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
ftp_data.command |
ftp_data.command |
same |
ftp_data.filename |
ftp_data.filename |
same |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
parent_id |
parent_id |
same |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tx_id |
network.tx_id |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.16. Sigflow http
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
http.accept |
http.accept |
same |
http.accept_encoding |
http.accept_encoding |
same |
http.content_type |
http.response.mime_type |
modified |
http.date |
http.date |
same |
http.hostname |
http.hostname |
same |
http.http_content_type |
http.request.mime_type |
modified |
http.http_method |
http.request.method |
|
http.http_parsed_user_agent.device |
user_agent.device.name |
modified |
http.http_parsed_user_agent.name |
user_agent.name |
modified |
http.http_parsed_user_agent.os |
user_agent.os.family |
modified |
http.http_parsed_user_agent.os_full |
user_agent.os.full |
modified |
http.http_parsed_user_agent.os_name |
user_agent.os.name |
modified |
http.http_user_agent |
user_agent.original |
modified |
http.last_modified |
http.last_modified |
modified |
http.length |
http.response.bytes |
modified |
http.protocol |
http.version |
modified |
http.server |
http.server |
same |
http.status |
http.response.status |
modified |
http.url |
url.path |
modified |
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tx_id |
network.tx_id |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
url.domain |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.17. Sigflow http2
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
http.http_method |
http.request.method |
|
http.http_parsed_user_agent.device |
user_agent.device.name |
modified |
http.http_parsed_user_agent.name |
user_agent.name |
modified |
http.http_parsed_user_agent.os |
user_agent.os.family |
modified |
http.http_parsed_user_agent.os_full |
user_agent.os.full |
modified |
http.http_parsed_user_agent.os_name |
user_agent.os.name |
modified |
http.http_user_agent |
user_agent.original |
modified |
http.http2.request.priority |
http.http2.request.priority |
same |
http.http2.stream_id |
http.http2.stream_id |
same |
http.length |
http.response.bytes |
modified |
http.request_headers[0].name |
http.request_headers[0].name |
same |
http.request_headers[0].value |
http.request_headers[0].value |
same |
http.request_headers[1].name |
http.request_headers[1].name |
same |
http.request_headers[1].value |
http.request_headers[1].value |
same |
http.response_headers[0].name |
http.response_headers[0].name |
same |
http.response_headers[0].value |
http.response_headers[0].value |
same |
http.response_headers[1].name |
http.response_headers[1].name |
same |
http.response_headers[1].value |
http.response_headers[1].value |
same |
http.status |
http.response.status |
modified |
http.url |
url.path |
modified |
http.version |
http.version |
same |
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tx_id |
network.tx_id |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.18. Sigflow ikev2
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
ikev2.errors |
ikev2.errors |
same |
ikev2.exchange_type |
ikev2.exchange_type |
same |
ikev2.init_spi |
ikev2.init_spi |
same |
ikev2.message_id |
ikev2.message_id |
same |
ikev2.notify[0] |
ikev2.notify[0] |
same |
ikev2.notify[1] |
ikev2.notify[1] |
same |
ikev2.payload[0] |
ikev2.payload[0] |
same |
ikev2.payload[1] |
ikev2.payload[1] |
same |
ikev2.payload[10] |
ikev2.payload[10] |
same |
ikev2.payload[2] |
ikev2.payload[2] |
same |
ikev2.payload[3] |
ikev2.payload[3] |
same |
ikev2.payload[4] |
ikev2.payload[4] |
same |
ikev2.payload[5] |
ikev2.payload[5] |
same |
ikev2.payload[6] |
ikev2.payload[6] |
same |
ikev2.payload[7] |
ikev2.payload[7] |
same |
ikev2.payload[8] |
ikev2.payload[8] |
same |
ikev2.payload[9] |
ikev2.payload[9] |
same |
ikev2.resp_spi |
ikev2.resp_spi |
same |
ikev2.role |
ikev2.role |
same |
ikev2.version_major |
ikev2.version_major |
same |
ikev2.version_minor |
ikev2.version_minor |
same |
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.19. Sigflow krb5
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
type |
removed |
|
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
krb5.cname |
krb5.cname |
same |
krb5.encryption |
krb5.encryption |
same |
krb5.msg_type |
krb5.msg_type |
same |
krb5.realm |
krb5.realm |
same |
krb5.sname |
krb5.sname |
same |
krb5.weak_encryption |
krb5.weak_encryption |
same |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.20. Sigflow mqtt
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
mqtt.connack.dup |
mqtt.connack.dup |
same |
mqtt.connack.qos |
mqtt.connack.qos |
same |
mqtt.connack.retain |
mqtt.connack.retain |
same |
mqtt.connack.return_code |
mqtt.connack.return_code |
same |
mqtt.connack.session_present |
mqtt.connack.session_present |
same |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.21. Sigflow netflow
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
app_proto |
network.protocol |
modified |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
ether.dest_macs[0] |
modified |
ether.src_mac |
ether.src_macs[0] |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
netflow.age |
netflow.age |
same |
netflow.bytes |
netflow.bytes |
same |
netflow.end |
netflow.end |
same |
netflow.max_ttl |
netflow.max_ttl |
same |
netflow.min_ttl |
netflow.min_ttl |
same |
netflow.pkts |
netflow.pkts |
same |
netflow.start |
netflow.start |
same |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
|
tcp.ack |
added |
|
tcp.syn |
added |
|
tcp.tcp_flags |
added |
|
tcp.psh |
added |
9.3.22. Sigflow nfs
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
nfs.file_tx |
nfs.file_tx |
same |
nfs.filename |
nfs.filename |
same |
nfs.hhash |
nfs.hhash |
same |
nfs.id |
nfs.id |
same |
nfs.procedure |
nfs.procedure |
same |
nfs.status |
nfs.status |
same |
nfs.type |
nfs.type |
same |
nfs.version |
nfs.version |
same |
proto |
network.transport |
modified |
rpc.auth_type |
rpc.auth_type |
same |
rpc.creds.gid |
rpc.creds.gid |
same |
rpc.creds.machine_name |
rpc.creds.machine_name |
same |
rpc.creds.uid |
rpc.creds.uid |
same |
rpc.status |
rpc.status |
same |
rpc.xid |
rpc.xid |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
file.name |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.23. Sigflow rdp
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
metadata.flowbits[0] |
metadata.flowbits[0] |
same |
proto |
network.transport |
modified |
rdp.event_type |
rdp.event_type |
same |
rdp.protocol |
rdp.protocol |
same |
rdp.server_supports[0] |
rdp.server_supports[0] |
same |
rdp.server_supports[1] |
rdp.server_supports[1] |
same |
rdp.server_supports[2] |
rdp.server_supports[2] |
same |
rdp.server_supports[3] |
rdp.server_supports[3] |
same |
rdp.tx_id |
rdp.tx_id |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.24. Sigflow rfb
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
rfb.authentication.security_type |
rfb.authentication.security_type |
same |
rfb.authentication.vnc.challenge |
rfb.authentication.vnc.challenge |
same |
rfb.authentication.vnc.response |
rfb.authentication.vnc.response |
same |
rfb.client_protocol_version.major |
rfb.client_protocol_version.major |
same |
rfb.client_protocol_version.minor |
rfb.client_protocol_version.minor |
same |
rfb.server_protocol_version.major |
rfb.server_protocol_version.major |
same |
rfb.server_protocol_version.minor |
rfb.server_protocol_version.minor |
same |
rfb.server_security_failure_reason |
rfb.server_security_failure_reason |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.25. Sigfmow sip
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
sip.method |
sip.method |
same |
sip.request_line |
sip.request_line |
same |
sip.uri |
sip.uri |
same |
sip.version |
sip.version |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.26. Sigflow SMB
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
smb.client_dialects[0] |
smb.client_dialects[0] |
same |
smb.client_dialects[1] |
smb.client_dialects[1] |
same |
smb.client_dialects[2] |
smb.client_dialects[2] |
same |
smb.client_dialects[3] |
smb.client_dialects[3] |
same |
smb.client_dialects[4] |
smb.client_dialects[4] |
same |
smb.client_guid |
smb.client_guid |
same |
smb.command |
smb.command |
same |
smb.dialect |
smb.dialect |
same |
smb.id |
smb.id |
same |
smb.max_read_size |
smb.max_read_size |
same |
smb.max_write_size |
smb.max_write_size |
same |
smb.server_guid |
smb.server_guid |
same |
smb.session_id |
smb.session_id |
same |
smb.status |
smb.status |
same |
smb.status_code |
smb.status_code |
same |
smb.tree_id |
smb.tree_id |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.27. Sigflow SMTP
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
email.attachments[0] |
email.attachments[0] |
same |
email.body_md5 |
email.body_md5 |
same |
email.from |
email.from.address |
modified |
email.message_id |
email.message_id |
same |
email.status |
email.status |
same |
email.subject |
email.subject |
same |
email.subject_md5 |
email.subject_md5 |
same |
email.to[0] |
email.to.address[0] |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
smtp.helo |
smtp.helo |
same |
smtp.mail_from |
smtp.mail_from |
same |
smtp.rcpt_to[0] |
smtp.rcpt_to[0] |
same |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tx_id |
network.tx_id |
modified |
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.28. Sigflow snmp
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
type |
removed |
|
event_type |
hardly_modified |
|
proto |
network.transport |
modified |
uuid |
observer.uuid |
modified |
src_port |
source.port |
modified |
dest_port |
destination.port |
modified |
src_ip |
source.ip |
modified |
dest_ip |
destination.ip |
modified |
ether.src_mac |
source.mac |
modified |
ether.dest_mac |
destination.mac |
modified |
community_id |
network.community_id |
modified |
in_iface |
observer.gcap.ingress.interface.name |
modified |
gcap |
observer.gcap.hostname |
modified |
host |
removed |
|
gcenter |
observer.hostname |
modified |
flow_id |
network.flow_id |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
snmp.vars[0] |
snmp.vars[0] |
same |
snmp.pdu_type |
snmp.pdu_type |
same |
snmp.version |
snmp.version |
same |
snmp.community |
snmp.community |
same |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.29. Sigflow ssh
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
tftp.file |
tftp.file |
same |
tftp.mode |
tftp.mode |
same |
tftp.packet |
tftp.packet |
same |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
file.name |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.30. Sigflow tftp
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
tftp.file |
tftp.file |
same |
tftp.mode |
tftp.mode |
same |
tftp.packet |
tftp.packet |
same |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
type |
removed |
|
uuid |
observer.uuid |
modified |
file.name |
added |
|
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |
9.3.31. Sigflow tls
2.5.3.102 |
2.5.3.103 |
state |
|---|---|---|
@timestamp |
@timestamp |
same |
@version |
@version |
same |
community_id |
network.community_id |
modified |
dest_ip |
destination.ip |
modified |
dest_port |
destination.port |
modified |
ether.dest_mac |
destination.mac |
modified |
ether.src_mac |
source.mac |
modified |
event_type |
hardly_modified |
|
flow_id |
network.flow_id |
modified |
gcap |
observer.gcap.hostname |
modified |
gcenter |
observer.hostname |
modified |
host |
removed |
|
in_iface |
observer.gcap.ingress.interface.name |
modified |
proto |
network.transport |
modified |
src_ip |
source.ip |
modified |
src_port |
source.port |
modified |
timestamp_analyzed |
hardly_modified |
|
timestamp_detected |
hardly_modified |
|
tls.chain[0] |
tls.server.certificate_chain[0] |
modified |
tls.fingerprint |
tls.server.hash.sha1 |
modified |
tls.notafter |
tls.server.not_after |
modified |
tls.notbefore |
tls.server.not_before |
modified |
tls.subject |
tls.server.subject |
modified |
tls.version |
tls.version |
same |
type |
removed |
|
uuid |
observer.uuid |
modified |
ecs.version |
added |
|
event.dataset |
added |
|
event.module |
added |
|
event.created |
added |
|
event.category[0] |
added |
|
event.id |
added |
|
event.kind |
added |
|
network.protocol |
added |
|
network.timestamp |
added |
|
observer.gcap.version |
added |
|
observer.product |
added |
|
observer.vendor |
added |
|
observer.log_format_version |
added |
|
observer.version |
added |