Sync zeek package with beats

marc-gr · marc-gr · commit 933fdb290b11 · 2021-02-16T14:58:27.000+01:00
diff --git a/packages/zeek/_dev/deploy/docker/sample_logs/http.log b/packages/zeek/_dev/deploy/docker/sample_logs/http.log
@@ -1,2 +1,2 @@
-{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
+{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
 {"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]}
diff --git a/packages/zeek/data_stream/capture_loss/agent/stream/log.yml.hbs b/packages/zeek/data_stream/capture_loss/agent/stream/log.yml.hbs
@@ -24,4 +24,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/connection/agent/stream/log.yml.hbs b/packages/zeek/data_stream/connection/agent/stream/log.yml.hbs
@@ -87,4 +87,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/dce_rpc/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dce_rpc/agent/stream/log.yml.hbs
@@ -55,4 +55,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/dhcp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dhcp/agent/stream/log.yml.hbs
@@ -101,4 +101,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/dnp3/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dnp3/agent/stream/log.yml.hbs
@@ -61,4 +61,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs
@@ -205,4 +205,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/dpd/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dpd/agent/stream/log.yml.hbs
@@ -53,4 +53,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/files/agent/stream/log.yml.hbs b/packages/zeek/data_stream/files/agent/stream/log.yml.hbs
@@ -46,4 +46,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/ftp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/ftp/agent/stream/log.yml.hbs
@@ -75,4 +75,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/http/agent/stream/log.yml.hbs b/packages/zeek/data_stream/http/agent/stream/log.yml.hbs
@@ -62,6 +62,7 @@ processors:
         - {from: "destination.address", to: "destination.ip", type: "ip"}
         - {from: "destination.port", to: "url.port"}
         - {from: "http.request.method", to: "event.action"}
+        - {from: "url.username", to: "user.name"}
       ignore_missing: true
       fail_on_error: false
   - add_fields:
@@ -79,4 +80,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/http/fields/ecs.yml b/packages/zeek/data_stream/http/fields/ecs.yml
@@ -308,3 +308,12 @@
   ignore_above: 1024
   name: user_agent.version
   type: keyword
+- description: Short name or login of the user.
+  ignore_above: 1024
+  multi_fields:
+    - flat_name: user.name.text
+      name: text
+      norms: false
+      type: text
+  name: user.name
+  type: keyword
diff --git a/packages/zeek/data_stream/intel/agent/stream/log.yml.hbs b/packages/zeek/data_stream/intel/agent/stream/log.yml.hbs
@@ -71,4 +71,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/irc/agent/stream/log.yml.hbs b/packages/zeek/data_stream/irc/agent/stream/log.yml.hbs
@@ -66,4 +66,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/kerberos/agent/stream/log.yml.hbs b/packages/zeek/data_stream/kerberos/agent/stream/log.yml.hbs
@@ -89,4 +89,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/modbus/agent/stream/log.yml.hbs b/packages/zeek/data_stream/modbus/agent/stream/log.yml.hbs
@@ -69,4 +69,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/mysql/agent/stream/log.yml.hbs b/packages/zeek/data_stream/mysql/agent/stream/log.yml.hbs
@@ -69,4 +69,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/mysql/elasticsearch/ingest_pipeline/default.yml
@@ -81,6 +81,10 @@ processors:
       field: event.type
       value: end
       if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'"
+  - append:
+      field: event.category
+      value: session
+      if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')"
 on_failure:
   - set:
       field: error.message
diff --git a/packages/zeek/data_stream/notice/agent/stream/log.yml.hbs b/packages/zeek/data_stream/notice/agent/stream/log.yml.hbs
@@ -87,4 +87,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/ntlm/agent/stream/log.yml.hbs b/packages/zeek/data_stream/ntlm/agent/stream/log.yml.hbs
@@ -79,4 +79,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/ocsp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/ocsp/agent/stream/log.yml.hbs
@@ -54,4 +54,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/pe/agent/stream/log.yml.hbs b/packages/zeek/data_stream/pe/agent/stream/log.yml.hbs
@@ -34,4 +34,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/radius/agent/stream/log.yml.hbs b/packages/zeek/data_stream/radius/agent/stream/log.yml.hbs
@@ -55,4 +55,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/rdp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/rdp/agent/stream/log.yml.hbs
@@ -74,4 +74,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/rfb/agent/stream/log.yml.hbs b/packages/zeek/data_stream/rfb/agent/stream/log.yml.hbs
@@ -64,4 +64,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/sip/agent/stream/log.yml.hbs b/packages/zeek/data_stream/sip/agent/stream/log.yml.hbs
@@ -80,4 +80,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/smb_cmd/agent/stream/log.yml.hbs b/packages/zeek/data_stream/smb_cmd/agent/stream/log.yml.hbs
@@ -90,4 +90,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/smb_files/agent/stream/log.yml.hbs b/packages/zeek/data_stream/smb_files/agent/stream/log.yml.hbs
@@ -58,4 +58,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/smb_mapping/agent/stream/log.yml.hbs b/packages/zeek/data_stream/smb_mapping/agent/stream/log.yml.hbs
@@ -54,4 +54,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/smtp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/smtp/agent/stream/log.yml.hbs
@@ -61,4 +61,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/snmp/agent/stream/log.yml.hbs b/packages/zeek/data_stream/snmp/agent/stream/log.yml.hbs
@@ -62,4 +62,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/socks/agent/stream/log.yml.hbs b/packages/zeek/data_stream/socks/agent/stream/log.yml.hbs
@@ -61,4 +61,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/ssh/agent/stream/log.yml.hbs b/packages/zeek/data_stream/ssh/agent/stream/log.yml.hbs
@@ -66,4 +66,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/ssl/agent/stream/log.yml.hbs b/packages/zeek/data_stream/ssl/agent/stream/log.yml.hbs
@@ -69,4 +69,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/stats/agent/stream/log.yml.hbs b/packages/zeek/data_stream/stats/agent/stream/log.yml.hbs
@@ -74,4 +74,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/syslog/agent/stream/log.yml.hbs b/packages/zeek/data_stream/syslog/agent/stream/log.yml.hbs
@@ -52,4 +52,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/traceroute/agent/stream/log.yml.hbs b/packages/zeek/data_stream/traceroute/agent/stream/log.yml.hbs
@@ -44,4 +44,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/tunnel/agent/stream/log.yml.hbs b/packages/zeek/data_stream/tunnel/agent/stream/log.yml.hbs
@@ -52,4 +52,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/weird/agent/stream/log.yml.hbs b/packages/zeek/data_stream/weird/agent/stream/log.yml.hbs
@@ -52,4 +52,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/data_stream/x509/agent/stream/log.yml.hbs b/packages/zeek/data_stream/x509/agent/stream/log.yml.hbs
@@ -56,4 +56,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.7.0
+        ecs.version: 1.8.0
diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md
@@ -983,6 +983,7 @@ HTTP requests and replies.
 | url.password | Password of the request. | keyword |
 | url.port | Port of the request, such as 443. | long |
 | url.username | Username of the request. | keyword |
+| user.name | Short name or login of the user. | keyword |
 | user_agent.device.name | Name of the device. | keyword |
 | user_agent.name | Name of the user agent. | keyword |
 | user_agent.original | Unparsed user_agent string. | keyword |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		-{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
	`1`	+{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]}
`2`	`2`	`{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]}`