diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 4a5ad775c..78c93ac50 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -2669,6 +2669,16 @@ zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;fr zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action +# websocket.log +# https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info +zeek.websocket.host=db:zeek.websocket.host;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Host;help:Websocket Host +zeek.websocket.uri=db:zeek.websocket.uri;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket URI;help:Websocket URI +zeek.websocket.user_agent=db:zeek.websocket.user_agent;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket User Agent;help:Websocket User Agent +zeek.websocket.subprotocol=db:zeek.websocket.subprotocol;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Subprotocol;help:Websocket Subprotocol +zeek.websocket.client_protocols=db:zeek.websocket.client_protocols;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Protocol;help:Websocket Client Protocol +zeek.websocket.server_extensions=db:zeek.websocket.server_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Server Extension;help:Websocket Server Extension +zeek.websocket.client_extensions=db:zeek.websocket.client_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Extension;help:Websocket Client Extension + # weird.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info @@ -3395,6 +3405,7 @@ o_zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.p o_zeek_tds_sql_batch=require:zeek.tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek.tds_sql_batch.header_type,zeek.tds_sql_batch.query o_zeek_tftp=require:zeek.tftp;title:Zeek tftp.log;fields:zeek.tftp.block_acked,zeek.tftp.block_sent,zeek.tftp.error_code,zeek.tftp.error_msg,zeek.tftp.fname,zeek.tftp.mode,zeek.tftp.size,zeek.tftp.uid_data,zeek.tftp.wrq o_zeek_tunnel=require:zeek.tunnel;title:Zeek tunnel.log;fields:zeek.tunnel.tunnel_type,zeek.tunnel.action +o_zeek_websocket=require:zeek.websocket;title:Zeek websocket.log;fields:zeek.websocket.host,zeek.websocket.uri,zeek.websocket.user_agent,zeek.websocket.subprotocol,zeek.websocket.client_protocols,zeek.websocket.server_extensions,zeek.websocket.client_extensions o_zeek_weird=require:zeek.weird;title:Zeek weird.log;fields:rule.name,zeek.weird.addl,zeek.weird.notice,zeek.weird.source o_zeek_wireguard=require:zeek.wireguard;title:Zeek wireguard.log;fields:zeek.wireguard.established,zeek.wireguard.initiations,zeek.wireguard.responses o_zeek_x509=require:zeek.x509;title:Zeek x509.log;fields:zeek.x509.certificate_version,zeek.x509.certificate_serial,zeek.x509.certificate_subject.CN,zeek.x509.certificate_subject.C,zeek.x509.certificate_subject.O,zeek.x509.certificate_subject.OU,zeek.x509.certificate_subject.ST,zeek.x509.certificate_subject.SN,zeek.x509.certificate_subject.L,zeek.x509.certificate_subject.DC,zeek.x509.certificate_subject.GN,zeek.x509.certificate_subject.pseudonym,zeek.x509.certificate_subject.serialNumber,zeek.x509.certificate_subject.title,zeek.x509.certificate_subject.initials,zeek.x509.certificate_subject.emailAddress,zeek.x509.certificate_subject.description,zeek.x509.certificate_subject.postalCode,zeek.x509.certificate_subject.street,zeek.x509.certificate_issuer.CN,zeek.x509.certificate_issuer.DC,zeek.x509.certificate_issuer.C,zeek.x509.certificate_issuer.O,zeek.x509.certificate_issuer.OU,zeek.x509.certificate_issuer.ST,zeek.x509.certificate_issuer.SN,zeek.x509.certificate_issuer.L,zeek.x509.certificate_issuer.GN,zeek.x509.certificate_issuer.pseudonym,zeek.x509.certificate_issuer.serialNumber,zeek.x509.certificate_issuer.title,zeek.x509.certificate_issuer.initials,zeek.x509.certificate_issuer.emailAddress,zeek.x509.certificate_not_valid_before,zeek.x509.certificate_not_valid_after,zeek.x509.certificate_key_alg,zeek.x509.certificate_sig_alg,zeek.x509.certificate_key_type,zeek.x509.certificate_key_length,zeek.x509.certificate_exponent,zeek.x509.certificate_curve,zeek.x509.client_cert,zeek.x509.fingerprint,zeek.x509.host_cert,zeek.x509.san_dns,zeek.x509.san_uri,zeek.x509.san_email,zeek.x509.san_ip,zeek.x509.basic_constraints_ca,zeek.x509.basic_constraints_path_len diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 01b43601b..33e520ca9 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -2780,6 +2780,13 @@ class MalcolmSource extends WISESource { "zeek.tunnel.action", "zeek.tunnel.tunnel_type", "zeek.uid", + "zeek.websocket.host", + "zeek.websocket.uri", + "zeek.websocket.user_agent", + "zeek.websocket.subprotocol", + "zeek.websocket.client_protocols", + "zeek.websocket.server_extensions", + "zeek.websocket.client_extensions", "zeek.weird.addl", "zeek.weird.notice", "zeek.weird.source", diff --git a/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json new file mode 100644 index 000000000..4b78b0072 --- /dev/null +++ b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json @@ -0,0 +1,421 @@ +{ + "version": "2.17.1", + "objects": [ + { + "id": "b8cf5890-87ed-11ef-ae18-dbcd34795edb", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T17:02:30.091Z", + "version": "WzEwNzAsMV0=", + "attributes": { + "title": "WebSocket", + "hits": 0, + "description": "", + "panelsJSON": "[{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\"},\"panelIndex\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\"},\"panelIndex\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":10,\"w\":9,\"h\":20,\"i\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\"},\"panelIndex\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":17,\"y\":10,\"w\":11,\"h\":20,\"i\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\"},\"panelIndex\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":28,\"y\":10,\"w\":10,\"h\":20,\"i\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\"},\"panelIndex\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":38,\"y\":10,\"w\":10,\"h\":20,\"i\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\"},\"panelIndex\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":20,\"i\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\"},\"panelIndex\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":40,\"i\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\"},\"panelIndex\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":50,\"w\":24,\"h\":20,\"i\":\"c7377072-c314-4e11-b024-e8214b88df52\"},\"panelIndex\":\"c7377072-c314-4e11-b024-e8214b88df52\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":31,\"i\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\"},\"panelIndex\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]", + "optionsJSON": "{\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_5", + "type": "visualization", + "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_6", + "type": "visualization", + "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_7", + "type": "visualization", + "id": "f6560220-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_8", + "type": "visualization", + "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_9", + "type": "visualization", + "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb" + }, + { + "name": "panel_10", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "dashboard": "7.9.3" + } + }, + { + "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:19:29.056Z", + "version": "WzkxNywxXQ==", + "attributes": { + "title": "Navigation", + "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}" + } + }, + "references": [], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:33:27.273Z", + "version": "WzEwNTQsMV0=", + "attributes": { + "title": "WebSocket - Log Count", + "visState": "{\"title\":\"WebSocket - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:36:21.951Z", + "version": "WzEwNTYsMV0=", + "attributes": { + "title": "WebSocket - Logs Over Time", + "visState": "{\"title\":\"WebSocket - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"timeRange\":{\"from\":\"2020-09-22T13:59:01.098Z\",\"to\":\"2021-09-08T03:14:05.363Z\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:37:22.366Z", + "version": "WzEwNTgsMV0=", + "attributes": { + "title": "WebSocket - Source IP", + "visState": "{\"title\":\"WebSocket - Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:38:40.760Z", + "version": "WzEwNTksMV0=", + "attributes": { + "title": "WebSocket - Destination IP", + "visState": "{\"title\":\"WebSocket - Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:53:50.300Z", + "version": "WzEwNjYsMV0=", + "attributes": { + "title": "WebSocket - Client Extensions", + "visState": "{\"title\":\"WebSocket - Client Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:53:00.426Z", + "version": "WzEwNjQsMV0=", + "attributes": { + "title": "WebSocket - Server Extensions", + "visState": "{\"title\":\"WebSocket - Server Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.server_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Server Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "f6560220-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:46:03.481Z", + "version": "WzEwNjMsMV0=", + "attributes": { + "title": "WebSocket - Protocols", + "visState": "{\"title\":\"WebSocket - Protocols\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.subprotocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subprotocol\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_protocols\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"zeek.websocket.subprotocol:* OR zeek.websocket.client_protocol:*\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:40:55.083Z", + "version": "WzEwNjAsMV0=", + "attributes": { + "title": "WebSocket - User Agent Name", + "visState": "{\"title\":\"WebSocket - User Agent Name\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"User Agent Name\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T17:02:11.630Z", + "version": "WzEwNjksMV0=", + "attributes": { + "title": "WebSocket - URI", + "visState": "{\"title\":\"WebSocket - URI\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.hosts\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Host\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"url.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"URI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2024-10-11T16:32:16.552Z", + "version": "WzEwNTMsMV0=", + "attributes": { + "title": "WebSocket - Logs", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "destination.ip", + "destination.port", + "related.hosts", + "url.original", + "user_agent.original", + "zeek.websocket.subprotocol", + "zeek.websocket.client_protocols", + "zeek.websocket.client_extensions", + "zeek.websocket.server_extensions", + "event.id" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:websocket\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + } + ] +} \ No newline at end of file diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json index 1c8b30860..83b43e30e 100644 --- a/dashboards/templates/composable/component/zeek.json +++ b/dashboards/templates/composable/component/zeek.json @@ -611,6 +611,13 @@ "zeek.tunnel.action": { "type": "keyword" }, "zeek.tunnel.tunnel_type": { "type": "keyword" }, "zeek.uid": { "type": "keyword" }, + "zeek.websocket.host": { "type": "keyword" }, + "zeek.websocket.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } }, + "zeek.websocket.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } }, + "zeek.websocket.subprotocol": { "type": "keyword" }, + "zeek.websocket.client_protocols": { "type": "keyword" }, + "zeek.websocket.server_extensions": { "type": "keyword" }, + "zeek.websocket.client_extensions": { "type": "keyword" }, "zeek.weird.addl": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } }, "zeek.weird.notice": { "type": "keyword" }, "zeek.weird.source": { "type": "keyword" }, diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index 0c3235d98..cd8883b6b 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -102,6 +102,7 @@ "tds_rpc": ["database", "network"] "tds_sql_batch": ["database", "network"] "tunnel": ["network"] +"websocket": ["web", "network"] "weird": ["intrusion_detection", "network"] "wireguard": ["network"] "x509": ["file", "network"] \ No newline at end of file diff --git a/logstash/pipelines/zeek/1069_zeek_websocket.conf b/logstash/pipelines/zeek/1069_zeek_websocket.conf new file mode 100644 index 000000000..14fc61b97 --- /dev/null +++ b/logstash/pipelines/zeek/1069_zeek_websocket.conf @@ -0,0 +1,56 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "websocket") { + ############################################################################################################################# + # websocket.log + # https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_websocket" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][user_agent]} %{[zeek_cols][subprotocol]} %{[zeek_cols][client_protocols]} %{[zeek_cols][server_extensions]} %{[zeek_cols][client_extensions]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_websocket" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_websocket" + init => "@zeek_websocket_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'host', 'uri', 'user_agent', 'subprotocol', 'client_protocols', 'server_extensions', 'client_extensions' ]" + code => "event.set('[zeek_cols]', @zeek_websocket_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # zeek says it's a vector, but I'm seeing semicolon-separated as well + mutate { id => "mutate_split_zeek_websocket_commas" + split => { "[zeek_cols][client_protocols]" => "," + "[zeek_cols][server_extensions]" => "," + "[zeek_cols][client_extensions]" => "," } } + mutate { id => "mutate_split_zeek_websocket_semicolons" + split => { "[zeek_cols][client_protocols]" => ";" + "[zeek_cols][server_extensions]" => ";" + "[zeek_cols][client_extensions]" => ";" } } + mutate { id => "mutate_strip_zeek_websocket" + strip => [ "[zeek_cols][client_protocols]", + "[zeek_cols][server_extensions]", + "[zeek_cols][client_extensions]" ] } + + mutate { + id => "mutate_add_field_zeek_service_websocket" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "websocket" + } + } + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1300_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf index c4b77e920..c7b1c8bc2 100644 --- a/logstash/pipelines/zeek/1300_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -1430,6 +1430,8 @@ filter { merge => { "[user_agent][original]" => "[zeek][sip][user_agent]" } } } if ([zeek][smtp][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_smtp" merge => { "[user_agent][original]" => "[zeek][smtp][user_agent]" } } } + if ([zeek][websocket][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_websocket" + merge => { "[user_agent][original]" => "[zeek][websocket][user_agent]" } } } # Hashes ############################################################################################################ # ECS - various -> related.hash (accumulate all hash/fingerprint fields into related.hash) @@ -1470,6 +1472,9 @@ filter { if ([zeek][smtp][helo]) { mutate { id => "mutate_merge_field_zeek_smtp_helo_related_hosts" merge => { "[related][hosts]" => "[zeek][smtp][helo]" } } } + if ([zeek][websocket][host]) { mutate { id => "mutate_merge_field_zeek_websocket_related_hosts" + merge => { "[related][hosts]" => "[zeek][websocket][host]" } } } + # URLs/URIs ######################################################################################################### # ECS - various -> url.original @@ -1499,6 +1504,9 @@ filter { if ([zeek][sip][uri]) { mutate { id => "mutate_merge_field_zeek_sip_uri_url_original" merge => { "[url][original]" => "[zeek][sip][uri]" } } } + if ([zeek][websocket][uri]) { mutate { id => "mutate_merge_field_zeek_websocket_uri_url_original" + merge => { "[url][original]" => "[zeek][websocket][uri]" } } } + if ([zeek][x509][san_uri]) { mutate { id => "mutate_merge_field_zeek_x509_san_uri_url_original" merge => { "[url][original]" => "[zeek][x509][san_uri]" } } }