Skip to content

Zeek

conn

Field Data Type Example
SigmaEventCode string 
N/A
action string 
blocked
app string 
dns
bytes string
bytes_in string
bytes_out string
conn_state string 
SHR
conn_state_meaning string 
Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
dest string 
168.63.129.16
dest_host string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
dest_ip string 
168.63.129.16
dest_mac string
dest_port string
direction string 
unknown
duration string
dvc string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
extracted_sourcetype string 
bro:conn:json
flow_id string 
C1AavVDmVmbvLP4Ze
history string 
^d
id.orig_h string 
10.4.0.9
id.orig_p string
id.resp_h string 
168.63.129.16
id.resp_p string
id_orig_h string 
10.4.0.9
id_orig_p integer 
5353
id_resp_h string 
168.63.129.16
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
missed_bytes string
orig_bytes integer 
0
orig_ip_bytes string
orig_pkts string
packets string
packets_in string
packets_out integer 
0
product string 
OS_Zeek
proto string 
udp
resp_bytes string
resp_ip_bytes string
resp_pkts integer 
1
sensor_name string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
service string 
dns
sigma_product string 
zeek
sigma_service string 
conn
src string 
10.4.0.9
src_ip string 
10.4.0.9
src_mac string
src_port string
src_user string
tag::app string
tcp_flag string 
SHR
timeendpos integer 
24
timestartpos integer 
6
transport string 
udp
ts string
tunnel_parents string
uid string 
C1AavVDmVmbvLP4Ze
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek

dns

Field Data Type Example
AA string 
false
RA string 
true
RD string 
false
SigmaEventCode string 
N/A
TC string 
false
TTLs string 
1800.0
TTLs{} string 
1800.0
Z string
answer string 
api-msn-com.a-0003.a-msedge.net
answers string 
a-0003.a-msedge.net
answers{} string 
a-0003.a-msedge.net
bytes string
dest string 
168.63.129.16
dest_host string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
dest_ip string 
168.63.129.16
dest_port string
direction string 
unknown
duration string
dvc string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
extracted_sourcetype string 
bro:dns:json
flag string 
-
flow_id string 
C4TvJf79gFdhJTg9k
id.orig_h string 
10.4.0.9
id.orig_p string
id.resp_h string 
168.63.129.16
id.resp_p integer 
53
id_orig_h string 
10.4.0.9
id_orig_p string
id_resp_h string 
168.63.129.16
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
message_type string 
RESPONSE
orig_bytes string
packets string
product string 
OS_Zeek
proto string 
udp
qclass string
qclass_name string
qtype string
qtype_name string
query string 
api.msn.com
query_type string
rcode string
rcode_name string 
NOERROR
record_type string
rejected string 
false
reply_code string 
NOERROR
reply_code_id string
resp_bytes string
sensor_name string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
sigma_product string 
zeek
sigma_service string 
dns
src string 
10.4.0.9
src_ip string 
10.4.0.9
src_mac string
src_port string
src_user string
status string 
NOERROR
timeendpos integer 
24
timestartpos integer 
6
trans_id string
transport string 
udp
ts string
uid string 
C4TvJf79gFdhJTg9k
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek

files

Field Data Type Example
SigmaEventCode string 
N/A
analyzers string 
MD5
analyzers{} string 
MD5
attachment_type string 
application/xml
bytes string
conn_uids{} string 
CMnzf532CBAZEeij66
depth string
dest string
dest_host string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
dest_ip string
dest_port string
direction string 
unknown
duration string
dvc string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
extracted_sourcetype string 
bro:files:json
file_name string
file_size string
filename string
flow_id string
fuid string 
F0GvPSUyV82IRALae
id_orig_h string
id_orig_p string
id_resp_h string
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_orig string 
false
is_src_internal_ip string 
false
md5 string 
698f3429caa63f565346cb595984271b
mime_type string 
application/xml
missing_bytes integer 
0
object string
orig_bytes string
overflow_bytes string
packets string
product string 
OS_Zeek
resp_bytes string
rx_hosts string 
10.4.0.9
rx_hosts{} string 
10.4.0.9
seen_bytes string
sensor_name string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
sha1 string 
ece51dc9488804822ee3960c01710c12a8d68433
sha256 string
sigma_product string 
zeek
sigma_service string 
files
src string
src_host string 
168.63.129.16
src_ip string
src_mac string
src_port string
src_user string
timedout string 
false
timeendpos integer 
24
timestartpos integer 
6
total_bytes string
transport string
ts string
tx_hosts string 
168.63.129.16
tx_hosts{} string 
168.63.129.16
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek

http

Field Data Type Example
SigmaEventCode string 
N/A
bytes string
bytes_in string
bytes_out string
dest string 
168.63.129.16
dest_host string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
dest_ip string 
168.63.129.16
dest_port integer 
80
direction string 
unknown
duration string
dvc string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
extracted_sourcetype string 
bro:http:json
flow_id string 
CMnzf532CBAZEeij66
http_content_type string 
application/xml
http_method string
http_referrer string
http_user_agent string
http_user_agent_length string
id.orig_h string 
10.4.0.9
id.orig_p string
id.resp_h string 
168.63.129.16
id.resp_p string
id_orig_h string 
10.4.0.9
id_orig_p string
id_resp_h string 
168.63.129.16
id_resp_p integer 
80
info_code integer 
100
info_msg string 
Continue
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
orig_bytes string
orig_fuids string
orig_mime_types string
packets string
product string 
OS_Zeek
request_body_len string
resp_bytes string
resp_filenames{} string
resp_fuids string 
F0GvPSUyV82IRALae
resp_fuids{} string 
F0GvPSUyV82IRALae
resp_mime_types string 
application/xml
resp_mime_types{} string 
application/xml
response_body_len string
sensor_name string 
training1_863ebc76-4615-40a1-bf8b-665d8fd38884
server_header_names{} string 
DATE
server_header_values{} string 
Microsoft-IIS/10.0
sigma_product string 
zeek
sigma_service string 
http
site string
src string 
10.4.0.9
src_ip string 
10.4.0.9
src_mac string
src_port string
src_user string
status string
status_code string
status_msg string 
OK
tags string
timeendpos integer 
24
timestartpos integer 
6
trans_depth string
ts integer 
1659017781.684792
uid string 
CMnzf532CBAZEeij66
uri string
uri_path string
url string
user string
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek
version string

kerberos

Field Data Type Example
SigmaEventCode string 
N/A
cipher string 
aes256-cts-hmac-sha1-96
client string 
cliken/DOAZLAB.COM
client_cert_fuid string 
Fckzyp3ju8pWwwuSjg
client_cert_subject string 
CN=DC01.snapattack.labs
dest string 
192.168.2.4
dest_host string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
dest_ip string 
192.168.2.4
dest_port integer 
88
direction string 
unknown
dvc string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
error_msg string 
KDC_ERR_PREAUTH_REQUIRED
extracted_sourcetype string 
bro:kerberos:json
flow_id string 
C2VgwU1wCMib6aiskb
forwardable string 
true
id.orig_h string 
192.168.2.5
id.orig_p integer 
51428
id.resp_h string 
192.168.2.4
id.resp_p integer 
88
id_orig_h string 
192.168.2.5
id_orig_p integer 
51428
id_resp_h string 
192.168.2.4
id_resp_p integer 
88
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
product string 
OS_Zeek
renewable string 
true
request_type string 
TGS
sensor_name string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
service string 
krbtgt/SNAPATTACK.LOCAL
sigma_product string 
zeek
sigma_service string 
kerberos
src string 
192.168.2.5
src_ip string 
192.168.2.5
src_port integer 
51428
success string 
true
till integer 
2136422885.0
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1651772689.062886
uid string 
C2VgwU1wCMib6aiskb
vendor string 
Corelight
vendor_product string 
OS_Zeek

notice

Field Data Type Example
SigmaEventCode string 
N/A
actions{} string 
Notice::ACTION_LOG
category string 
CaptureLoss::Too_Little_Traffic
dest string 
52.184.214.53
dest_host string 
DC01_a546dfa7-ead5-45f6-9952-1cdcdb223153
dest_ip string 
52.184.214.53
dest_port integer 
443
direction string 
unknown
dst string 
52.184.214.53
dvc string 
DC01_a546dfa7-ead5-45f6-9952-1cdcdb223153
extracted_sourcetype string 
bro:notice:json
flow_id string 
C6iH6r4cf1evrwtiMj
fuid string 
F0E2ZGlkDl4V0TKp7
id string 
C6iH6r4cf1evrwtiMj
id.orig_h string 
192.168.2.4
id.orig_p integer 
62064
id.resp_h string 
52.184.214.53
id.resp_p integer 
443
id_orig_h string 
192.168.2.4
id_orig_p integer 
62064
id_resp_h string 
52.184.214.53
id_resp_p integer 
443
ids_type string 
network
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
false
msg string 
Only observed 0 TCP ACKs and was expecting at least 1.
note string 
CaptureLoss::Too_Little_Traffic
p integer 
443
product string 
OS_Zeek
proto string 
tcp
sensor_name string 
DC01_a546dfa7-ead5-45f6-9952-1cdcdb223153
sigma_product string 
zeek
sigma_service string 
notice
src string 
192.168.2.4
src_ip string 
192.168.2.4
src_port integer 
62064
sub string 
CN=*.prod.do.dsp.mp.microsoft.com,OU=DSP,O=Microsoft,L=Redmond,ST=WA,C=US
suppress_for integer 
3600.0
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1659017776.500783
type string 
alert
uid string 
C6iH6r4cf1evrwtiMj
vendor string 
Corelight
vendor_product string 
OS_Zeek

ntlm

Field Data Type Example
SigmaEventCode string 
N/A
dest string 
192.168.2.4
dest_host string 
WS05_0f87e8cc-d88e-4da4-ac63-2d5033454418
dest_ip string 
192.168.2.4
dest_port integer 
445
direction string 
unknown
domainname string 
doazlab.com
dvc string 
WS05_0f87e8cc-d88e-4da4-ac63-2d5033454418
extracted_sourcetype string 
bro:ntlm:json
flow_id string 
C1jczb2XeVCgfe6jDc
hostname string 
attack-vm
id.orig_h string 
10.0.0.5
id.orig_p integer 
50043
id.resp_h string 
192.168.2.4
id.resp_p integer 
445
id_orig_h string 
10.0.0.5
id_orig_p integer 
50043
id_resp_h string 
192.168.2.4
id_resp_p integer 
445
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
product string 
OS_Zeek
sensor_name string 
WS05_0f87e8cc-d88e-4da4-ac63-2d5033454418
server_dns_computer_name string 
DC01.doazlab.com
server_nb_computer_name string 
DC01
server_tree_name string 
doazlab.com
sigma_product string 
zeek
sigma_service string 
ntlm
src string 
10.0.0.5
src_ip string 
10.0.0.5
src_port integer 
50043
success string 
true
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1655982189.868662
uid string 
C1jczb2XeVCgfe6jDc
username string 
doadmin
vendor string 
Corelight
vendor_product string 
OS_Zeek

ntp

Field Data Type Example
SigmaEventCode string 
N/A
dest string 
198.199.14.19
dest_host string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
dest_ip string 
198.199.14.19
dest_port integer 
123
direction string 
unknown
dvc string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
extracted_sourcetype string 
bro:ntp:json
flow_id string 
C11ALk1ydz9X9bF7v2
id.orig_h string 
192.168.0.4
id.orig_p integer 
35282
id.resp_h string 
198.199.14.19
id.resp_p integer 
123
id_orig_h string 
192.168.0.4
id_orig_p integer 
35282
id_resp_h string 
198.199.14.19
id_resp_p integer 
123
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
mode integer 
4
num_exts integer 
0
org_time integer 
0.0
poll integer 
1.0
precision integer 
1.0
product string 
OS_Zeek
rec_time integer 
0.0
ref_id string 
\x00\x00\x00\x00
ref_time integer 
0.0
root_delay integer 
0.0
root_disp integer 
0.0
sensor_name string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
sigma_product string 
zeek
sigma_service string 
ntp
src string 
192.168.0.4
src_ip string 
192.168.0.4
src_port integer 
35282
stratum integer 
2
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1653669673.177138
uid string 
C11ALk1ydz9X9bF7v2
vendor string 
Corelight
vendor_product string 
OS_Zeek
version integer 
4
xmt_time integer 
1656428747.1463368

ocsp

Field Data Type Example
SigmaEventCode string 
N/A
certStatus string 
good
dest_host string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
direction string 
unknown
dvc string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
extracted_sourcetype string 
bro:ocsp:json
hashAlgorithm string 
sha1
id string 
F0pgoF18LDSI45EQjl
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
false
issuerKeyHash string 
B5760C3011CEC792424D4CC75C2CC8A90CE80B64
issuerNameHash string 
521EE36C478119A9CB03FAB74E57E1197AF1818B
nextUpdate integer 
1659027698.0
product string 
OS_Zeek
sensor_name string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
serialNumber string 
1200195757FED8945454F09DD9000000195757
sigma_product string 
zeek
sigma_service string 
ocsp
thisUpdate integer 
1658682098.0
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1658856773.638457
vendor string 
Corelight
vendor_product string 
OS_Zeek

packet_filter

Field Data Type
bytes string
dest string
dest_host string
dest_ip string
dest_port string
direction string
duration string
dvc string
extracted_sourcetype string
filter string
flow_id string
id_orig_h string
id_orig_p string
id_resp_h string
id_resp_p string
init string
is_broadcast string
is_dest_internal_ip string
is_src_internal_ip string
node string
orig_bytes string
packets string
product string
resp_bytes string
sensor_name string
src string
src_ip string
src_mac string
src_port string
src_user string
success string
ts string
vendor string
vendor_action string
vendor_product string

pe

Field Data Type Example
SigmaEventCode string 
N/A
bytes string
compile_ts string
dest string
dest_host string 
EC2AMAZ-NNKUICG_cc4532b5-be0c-43f9-8722-40b22f8ad967
dest_ip string
dest_port string
direction string 
unknown
duration string
dvc string 
EC2AMAZ-NNKUICG_cc4532b5-be0c-43f9-8722-40b22f8ad967
extracted_sourcetype string 
bro🇵🇪json
flow_id string
has_cert_table string 
true
has_debug_data string 
true
has_export_table string 
false
has_import_table string 
true
id string 
F0Kzyj33XZBarrbX2j
id_orig_h string
id_orig_p string
id_resp_h string
id_resp_p string
is_64bit string 
false
is_broadcast string 
false
is_dest_internal_ip string 
false
is_exe string 
true
is_src_internal_ip string 
false
machine string 
I386
orig_bytes string
os string 
Windows XP
packets string
product string 
OS_Zeek
resp_bytes string
section_names{} string 
.data
sensor_name string 
EC2AMAZ-NNKUICG_cc4532b5-be0c-43f9-8722-40b22f8ad967
sigma_product string 
zeek
sigma_service string 
pe
src string
src_ip string
src_mac string
src_port string
src_user string
subsystem string 
WINDOWS_GUI
timeendpos integer 
24
timestartpos integer 
6
ts string
uses_aslr string 
true
uses_code_integrity string 
false
uses_dep string 
true
uses_seh string 
true
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek

rdp

Field Data Type Example
SigmaEventCode string 
N/A
cert_count integer 
0
cookie string 
doadmin
dest string 
192.168.2.4
dest_host string 
DC01_56f56fbd-ff7e-40ec-a48c-aaf004657894
dest_ip string 
192.168.2.4
dest_port integer 
3389
direction string 
unknown
dvc string 
DC01_56f56fbd-ff7e-40ec-a48c-aaf004657894
extracted_sourcetype string 
bro:rdp:json
flow_id string 
C0c4Fh2cVwpsDO0Rhd
id.orig_h string 
10.0.0.5
id.orig_p integer 
50023
id.resp_h string 
192.168.2.4
id.resp_p integer 
3389
id_orig_h string 
10.0.0.5
id_orig_p integer 
50023
id_resp_h string 
192.168.2.4
id_resp_p integer 
3389
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
product string 
OS_Zeek
result string 
encrypted
security_protocol string 
HYBRID_EX
sensor_name string 
DC01_56f56fbd-ff7e-40ec-a48c-aaf004657894
sigma_product string 
zeek
sigma_service string 
rdp
src string 
10.0.0.5
src_ip string 
10.0.0.5
src_port integer 
50023
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1655808220.723155
uid string 
C0c4Fh2cVwpsDO0Rhd
vendor string 
Corelight
vendor_product string 
OS_Zeek

smb_mapping

Field Data Type Example
SigmaEventCode string 
N/A
dest string 
192.168.2.4
dest_host string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
dest_ip string 
192.168.2.4
dest_port integer 
445
direction string 
unknown
dvc string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
extracted_sourcetype string 
bro:smb_mapping:json
flow_id string 
CAdHho2QromOAurYu2
id.orig_h string 
192.168.2.5
id.orig_p integer 
50800
id.resp_h string 
192.168.2.4
id.resp_p integer 
445
id_orig_h string 
192.168.2.5
id_orig_p integer 
50800
id_resp_h string 
192.168.2.4
id_resp_p integer 
445
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
product string 
OS_Zeek
sensor_name string 
MXS01_1cf1eaad-5309-48f3-8267-e0771669f5c0
share_type string 
PIPE
sigma_product string 
zeek
sigma_service string 
smb_mapping
src string 
192.168.2.5
src_ip string 
192.168.2.5
src_port integer 
50800
timeendpos integer 
24
timestartpos integer 
6
ts integer 
1651772690.02844
uid string 
CAdHho2QromOAurYu2
vendor string 
Corelight
vendor_product string 
OS_Zeek

smtp

Field Data Type Example
SigmaEventCode string 
N/A
dest string 
192.168.2.5
dest_host string 
MXS01_ec25d050-3a58-4db1-a8f0-0b397e2cf39a
dest_ip string 
192.168.2.5
dest_port integer 
25
direction string 
unknown
dvc string 
MXS01_ec25d050-3a58-4db1-a8f0-0b397e2cf39a
extracted_sourcetype string 
bro:smtp:json
flow_id string 
Cff7dv2FgjC2D1iQ85
from string 
user@example.com
fuids string 
FmxvOV1iSdBbadxbeg
fuids{} string 
FmxvOV1iSdBbadxbeg
helo string 
[192.168.2.7]
id.orig_h string 
192.168.2.7
id.orig_p integer 
49722
id.resp_h string 
192.168.2.5
id.resp_p integer 
25
id_orig_h string 
192.168.2.7
id_orig_p integer 
49722
id_resp_h string 
192.168.2.5
id_resp_p integer 
25
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
mailfrom string 
user@example.com
orig_recipient string 
snapattack@snapattack.local
orig_src string 
192.168.2.7
path string 
192.168.2.5
path{} string 
192.168.2.5
product string 
OS_Zeek
protocol string 
smtp
rcptto string 
snapattack@snapattack.local
rcptto{} string 
snapattack@snapattack.local
recipient string 
snapattack@snapattack.local
sensor_name string 
MXS01_ec25d050-3a58-4db1-a8f0-0b397e2cf39a
sigma_product string 
zeek
sigma_service string 
smtp
src string 
192.168.2.7
src_ip string 
192.168.2.7
src_port integer 
49722
src_user string 
user@example.com
subject string 
03a5108c89f64c4993c8faf52d4322ca
timeendpos integer 
24
timestartpos integer 
6
tls string 
false
to string 
snapattack@snapattack.local
to{} string 
snapattack@snapattack.local
trans_depth integer 
1
ts integer 
1651603002.616334
uid string 
Cff7dv2FgjC2D1iQ85
vendor string 
Corelight
vendor_product string 
OS_Zeek

ssh

Field Data Type Example
SigmaEventCode string 
N/A
auth_attempts string
auth_success string 
true
bytes string
cipher_alg string 
chacha20-poly1305@openssh.com
client string 
SSH-2.0-paramiko_2.11.0
compression_alg string 
none
dest string 
192.168.0.5
dest_host string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
dest_ip string 
192.168.0.5
dest_port string
direction string 
unknown
duration string
dvc string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
extracted_sourcetype string 
bro:ssh:json
flow_id string 
C297Jb4tAno0BLRqrh
host_key string 
5f:1c:2f:1a:94:d9:94:74:a5:b5:66:4d:3f:33:af:d6
host_key_alg string 
ssh-ed25519
id.orig_h string 
10.0.78.86
id.orig_p string
id.resp_h string 
192.168.0.5
id.resp_p string
id_orig_h string 
10.0.78.86
id_orig_p string
id_resp_h string 
192.168.0.5
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
true
is_src_internal_ip string 
true
kex_alg string 
curve25519-sha256
mac_alg string 
umac-64-etm@openssh.com
orig_bytes string
packets string
product string 
OS_Zeek
resp_bytes string
sensor_name string 
arrakis_08a9a470-8047-4cc1-8a65-6d2e73795ac7
server string 
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
sigma_product string 
zeek
sigma_service string 
ssh
src string 
10.0.78.86
src_ip string 
10.0.78.86
src_mac string
src_port string
src_user string
timeendpos integer 
24
timestartpos integer 
6
ts string
uid string 
C297Jb4tAno0BLRqrh
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek
version integer 
2

ssl

Field Data Type Example
SigmaEventCode string 
N/A
bytes string
cert_chain_fps{} string 
04eeea8e50b4775b3c24797262917ee50002ec4c75b56cdf3ee1c18cfca5ba52
cert_chain_fuids string
cert_chain_fuids{} string
cipher string 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client_cert_chain_fuids string
curve string 
secp384r1
dest string 
23.218.218.140
dest_host string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
dest_ip string 
23.218.218.140
dest_port string
direction string 
unknown
duration string
dvc string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
established string 
false
extracted_sourcetype string 
bro:ssl:json
flow_id string 
C0CObC1TYbAsiHzrF6
id.orig_h string 
10.4.0.13
id.orig_p string
id.resp_h string 
23.218.218.140
id.resp_p string
id_orig_h string 
10.4.0.13
id_orig_p string
id_resp_h string 
23.218.218.140
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
next_protocol string 
h2
orig_bytes string
packets string
product string 
OS_Zeek
resp_bytes string
resumed string 
false
sensor_name string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
server_name string 
v10.events.data.microsoft.com
sigma_product string 
zeek
sigma_service string 
ssl
sni_matches_cert string 
true
src string 
10.4.0.13
src_ip string 
10.4.0.13
src_mac string
src_port integer 
50600
src_user string
ssl_cipher string 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ssl_history string 
sxuknti
ssl_issuer string
ssl_subject string
ssl_subject_common_name string 
v10.events.data.microsoft.com
timeendpos integer 
24
timestartpos integer 
6
ts string
uid string 
C0CObC1TYbAsiHzrF6
validation_status string 
ok
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek
version string 
TLSv12

weird

Field Data Type Example
SigmaEventCode string 
N/A
bytes string
dest string 
168.63.129.16
dest_host string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
dest_ip string 
168.63.129.16
dest_port string
direction string 
unknown
duration string
dvc string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
extracted_sourcetype string 
bro:weird:json
flow_id string 
CAR81k1SEzGAQeWShi
id.orig_h string 
10.116.55.102
id.orig_p string
id.resp_h string 
168.63.129.16
id.resp_p string
id_orig_h string 
10.116.55.102
id_orig_p string
id_resp_h string 
168.63.129.16
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
true
name string 
ip_hdr_len_zero
notice string 
false
orig_bytes string
packets string
peer string 
zeek
product string 
OS_Zeek
resp_bytes string
sensor_name string 
training1_ef889815-d193-4402-a9f1-92883f284f0d
sigma_product string 
zeek
sigma_service string 
weird
src string 
10.116.55.102
src_ip string 
10.116.55.102
src_mac string
src_port string
src_user string
timeendpos integer 
24
timestartpos integer 
6
ts string
uid string 
CAR81k1SEzGAQeWShi
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek

x509

Field Data Type Example
SigmaEventCode string 
N/A
basic_constraints.ca string 
false
basic_constraints.path_len string
bytes string
certificate.curve string 
prime256v1
certificate.exponent string
certificate.issuer string 
CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
certificate.key_alg string 
rsaEncryption
certificate.key_length string
certificate.key_type string 
rsa
certificate.not_valid_after string
certificate.not_valid_before string
certificate.serial string 
120018DE2266C1FD345EA9DC9600000018DE22
certificate.sig_alg string 
sha256WithRSAEncryption
certificate.subject string 
CN=*.events.data.microsoft.com,OU=WSE,O=Microsoft,L=Redmond,ST=WA,C=US
certificate.version string
client_cert string 
false
dest string
dest_host string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
dest_ip string
dest_port string
direction string 
unknown
duration string
dvc string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
extracted_sourcetype string 
bro:x509:json
fingerprint string 
3b6bc7bde4b97cc160b99e4ff4c3b8ecc01f24288e2dd04afa559bb89fbb2ab1
flow_id string
host_cert string 
true
id string
id_orig_h string
id_orig_p string
id_resp_h string
id_resp_p string
is_broadcast string 
false
is_dest_internal_ip string 
false
is_src_internal_ip string 
false
orig_bytes string
packets string
product string 
OS_Zeek
resp_bytes string
san.dns{} string 
*.events.data.microsoft.com
san.ip{} string
sensor_name string 
windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a
sigma_product string 
zeek
sigma_service string 
x509
src string
src_ip string
src_mac string
src_port string
src_user string
ssl_end_time integer 
1663880396.0
ssl_issuer string 
CN=Microsoft RSA TLS CA 01,O=Microsoft Corporation,C=US
ssl_issuer_organization string 
Microsoft Corporation
ssl_publickey_algorithm string 
rsaEncryption
ssl_serial string 
120018DE2266C1FD345EA9DC9600000018DE22
ssl_signature_algorithm string 
sha256WithRSAEncryption
ssl_start_time string
ssl_subject string 
CN=*.events.data.microsoft.com,OU=WSE,O=Microsoft,L=Redmond,ST=WA,C=US
ssl_validity_window string
ssl_version string
timeendpos integer 
24
timestartpos integer 
6
ts string
vendor string 
Corelight
vendor_action string
vendor_product string 
OS_Zeek