Network

The network log type records events that happen in a system’s network, such as login attempts and application events.

The following code snippet contains all the raw_field and ecs mappings for this log type:

  1.  "mappings": [
  2.     {
  3.       "raw_field":"action",
  4.       "ecs":"netflow.firewall_event"
  5.     },
  6.     {
  7.       "raw_field":"certificate.serial",
  8.       "ecs":"zeek.x509.certificate.serial"
  9.     },
  10.     {
  11.       "raw_field":"name",
  12.       "ecs":"zeek.smb_files.name"
  13.     },
  14.     {
  15.       "raw_field":"path",
  16.       "ecs":"zeek.smb_files.path"
  17.     },
  18.     {
  19.       "raw_field":"dst_port",
  20.       "ecs":"destination.port"
  21.     },
  22.     {
  23.       "raw_field":"qtype_name",
  24.       "ecs":"zeek.dns.qtype_name"
  25.     },
  26.     {
  27.       "raw_field":"operation",
  28.       "ecs":"zeek.dce_rpc.operation"
  29.     },
  30.     {
  31.       "raw_field":"endpoint",
  32.       "ecs":"zeek.dce_rpc.endpoint"
  33.     },
  34.     {
  35.       "raw_field":"zeek.dce_rpc.endpoint",
  36.       "ecs":"zeek.dce_rpc.endpoint"
  37.     },
  38.     {
  39.       "raw_field":"answers",
  40.       "ecs":"zeek.dns.answers"
  41.     },
  42.     {
  43.       "raw_field":"query",
  44.       "ecs":"zeek.dns.query"
  45.     },
  46.     {
  47.       "raw_field":"client_header_names",
  48.       "ecs":"zeek.http.client_header_names"
  49.     },
  50.     {
  51.       "raw_field":"resp_mime_types",
  52.       "ecs":"zeek.http.resp_mime_types"
  53.     },
  54.     {
  55.       "raw_field":"cipher",
  56.       "ecs":"zeek.kerberos.cipher"
  57.     },
  58.     {
  59.       "raw_field":"request_type",
  60.       "ecs":"zeek.kerberos.request_type"
  61.     },
  62.     {
  63.       "raw_field":"creationTime",
  64.       "ecs":"timestamp"
  65.     },
  66.     {
  67.       "raw_field":"method",
  68.       "ecs":"http.request.method"
  69.     },
  70.     {
  71.       "raw_field":"id.resp_p",
  72.       "ecs":"id.resp_p"
  73.     },
  74.     {
  75.       "raw_field":"blocked",
  76.       "ecs":"blocked-flag"
  77.     },
  78.     {
  79.       "raw_field":"id.orig_h",
  80.       "ecs":"id.orig_h"
  81.     },
  82.     {
  83.       "raw_field":"Z",
  84.       "ecs":"Z-flag"
  85.     },
  86.     {
  87.       "raw_field":"id.resp_h",
  88.       "ecs":"id.resp_h"
  89.     },
  90.     {
  91.       "raw_field":"uri",
  92.       "ecs":"url.path"
  93.     },
  94.     {
  95.       "raw_field":"c-uri",
  96.       "ecs":"url.path"
  97.     },
  98.     {
  99.       "raw_field":"c-useragent",
  100.       "ecs":"user_agent.name"
  101.     },
  102.     {
  103.       "raw_field":"status_code",
  104.       "ecs":"http.response.status_code"
  105.     },
  106.     {
  107.       "raw_field":"rejected",
  108.       "ecs":"rejected"
  109.     },
  110.     {
  111.       "raw_field":"dst_ip",
  112.       "ecs":"destination.ip"
  113.     },
  114.     {
  115.       "raw_field":"src_ip",
  116.       "ecs":"source.ip"
  117.     },
  118.     {
  119.       "raw_field":"user_agent",
  120.       "ecs":"user_agent.name"
  121.     },
  122.     {
  123.       "raw_field":"request_body_len",
  124.       "ecs":"http.request.body.bytes"
  125.     },
  126.     {
  127.       "raw_field":"service",
  128.       "ecs":"service"
  129.     }
  130.   ]