diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml
index b8fae021e..8eaf30def 100644
--- a/.github/workflows/api-build-and-push-ghcr.yml
+++ b/.github/workflows/api-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'api/**'
- 'Dockerfiles/api.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml
index 0c297098c..fa5644999 100644
--- a/.github/workflows/arkime-build-and-push-ghcr.yml
+++ b/.github/workflows/arkime-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'arkime/**'
- 'Dockerfiles/arkime.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -115,7 +112,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml
index a63b7bbdf..6ced81fe3 100644
--- a/.github/workflows/dashboards-build-and-push-ghcr.yml
+++ b/.github/workflows/dashboards-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'dashboards/**'
- 'Dockerfiles/dashboards.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml
index 440920dc7..b0f338def 100644
--- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml
+++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'dashboards/**'
- 'Dockerfiles/dashboards-helper.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml
index 92048e9ee..df3933fac 100644
--- a/.github/workflows/dirinit-build-and-push-ghcr.yml
+++ b/.github/workflows/dirinit-build-and-push-ghcr.yml
@@ -100,7 +100,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml
index b8c794493..5d44883e1 100644
--- a/.github/workflows/file-monitor-build-and-push-ghcr.yml
+++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml
@@ -9,13 +9,10 @@ on:
- 'file-monitor/**'
- 'Dockerfiles/file-monitor.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*.sh'
- '.trigger_workflow_build'
@@ -110,7 +107,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml
index ee7871190..454ab989e 100644
--- a/.github/workflows/file-upload-build-and-push-ghcr.yml
+++ b/.github/workflows/file-upload-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'file-upload/**'
- 'Dockerfiles/file-upload.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml
index 2f9185c17..da2f0536b 100644
--- a/.github/workflows/filebeat-build-and-push-ghcr.yml
+++ b/.github/workflows/filebeat-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'filebeat/**'
- 'Dockerfiles/filebeat.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml
index a54409528..3862e5f1f 100644
--- a/.github/workflows/freq-build-and-push-ghcr.yml
+++ b/.github/workflows/freq-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'freq-server/**'
- 'Dockerfiles/freq.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml
index 6a16d715e..4f7f243f0 100644
--- a/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml
+++ b/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml
@@ -141,7 +141,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'fs'
scan-ref: './hedgehog-iso'
diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml
index c1525370b..6a7a4099f 100644
--- a/.github/workflows/htadmin-build-and-push-ghcr.yml
+++ b/.github/workflows/htadmin-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'htadmin/**'
- 'Dockerfiles/htadmin.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml
index 4a1eca3b3..1bf286fa7 100644
--- a/.github/workflows/logstash-build-and-push-ghcr.yml
+++ b/.github/workflows/logstash-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'logstash/**'
- 'Dockerfiles/logstash.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml
index 75f1849fe..bf5045aeb 100644
--- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml
+++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml
@@ -9,7 +9,6 @@ on:
- 'malcolm-iso/**'
- 'shared/bin/*'
- '!shared/bin/capa-build.sh'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/zeek*'
@@ -148,7 +147,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'fs'
scan-ref: './malcolm-iso'
diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml
index ffe49b832..857015d30 100644
--- a/.github/workflows/netbox-build-and-push-ghcr.yml
+++ b/.github/workflows/netbox-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'netbox/**'
- 'Dockerfiles/netbox.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml
index 66d10788a..8221bd513 100644
--- a/.github/workflows/nginx-build-and-push-ghcr.yml
+++ b/.github/workflows/nginx-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'nginx/**'
- 'Dockerfiles/nginx.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -120,7 +117,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml
index 80804d1e2..1bc3db595 100644
--- a/.github/workflows/opensearch-build-and-push-ghcr.yml
+++ b/.github/workflows/opensearch-build-and-push-ghcr.yml
@@ -8,16 +8,13 @@ on:
paths:
- 'Dockerfiles/opensearch.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -112,7 +109,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml
index 5ef3dd924..c01f21f4e 100644
--- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml
+++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'pcap-capture/**'
- 'Dockerfiles/pcap-capture.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml
index a6f4a14ab..2352fb82d 100644
--- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml
+++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'pcap-monitor/**'
- 'Dockerfiles/pcap-monitor.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -113,7 +110,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml
index d5530c898..951170880 100644
--- a/.github/workflows/postgresql-build-and-push-ghcr.yml
+++ b/.github/workflows/postgresql-build-and-push-ghcr.yml
@@ -8,16 +8,13 @@ on:
paths:
- 'Dockerfiles/postgresql.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -112,7 +109,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml
index baf497fe5..da0706bea 100644
--- a/.github/workflows/redis-build-and-push-ghcr.yml
+++ b/.github/workflows/redis-build-and-push-ghcr.yml
@@ -8,16 +8,13 @@ on:
paths:
- 'Dockerfiles/redis.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
@@ -112,7 +109,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml
index a185fe477..36d9adca5 100644
--- a/.github/workflows/suricata-build-and-push-ghcr.yml
+++ b/.github/workflows/suricata-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'suricata/**'
- 'Dockerfiles/suricata.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/zeek*'
- '.trigger_workflow_build'
workflow_dispatch:
@@ -112,7 +109,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml
index 26fac60b3..882b77623 100644
--- a/.github/workflows/zeek-build-and-push-ghcr.yml
+++ b/.github/workflows/zeek-build-and-push-ghcr.yml
@@ -9,16 +9,13 @@ on:
- 'zeek/**'
- 'Dockerfiles/zeek.Dockerfile'
- 'shared/bin/*'
- - '!shared/bin/agg-init.sh'
- '!shared/bin/capa-build.sh'
- '!shared/bin/common-init.sh'
- - '!shared/bin/sensor-init.sh'
- '!shared/bin/os-disk-config.py'
- '!shared/bin/extracted_files_http_server.py'
- '!shared/bin/web-ui-asset-download.sh'
- '!shared/bin/preseed_late_user_config.sh'
- '!shared/bin/configure-interfaces.py'
- - '!shared/bin/configure-capture.py'
- '!shared/bin/suricata*'
- '.trigger_workflow_build'
workflow_dispatch:
@@ -114,7 +111,9 @@ jobs:
name: Run Trivy vulnerability scanner
if: ${{ matrix.platform == 'linux/amd64' }}
id: trivy-scan
- uses: aquasecurity/trivy-action@master
+ uses: aquasecurity/trivy-action@0.28.0
+ env:
+ TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
scan-type: 'image'
scanners: 'vuln'
diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile
index 5fa14a4d5..0cc82d293 100644
--- a/Dockerfiles/api.Dockerfile
+++ b/Dockerfiles/api.Dockerfile
@@ -68,7 +68,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
RUN apt-get -q update \
&& apt-get -y -q --no-install-recommends upgrade \
- && apt-get -y -q --no-install-recommends install curl netcat-openbsd rsync tini \
+ && apt-get -y -q --no-install-recommends install curl jq netcat-openbsd rsync tini \
&& python3 -m pip install --upgrade pip \
&& python3 -m pip install --no-cache /wheels/* \
&& groupadd --gid ${DEFAULT_GID} ${PGROUP} \
diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
index 3d08b203b..a064d0652 100644
--- a/Dockerfiles/dashboards-helper.Dockerfile
+++ b/Dockerfiles/dashboards-helper.Dockerfile
@@ -42,7 +42,7 @@ ENV OPENSEARCH_DEFAULT_DASHBOARD $OPENSEARCH_DEFAULT_DASHBOARD
ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE
ENV PATH="/data:${PATH}"
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
@@ -60,8 +60,6 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/
COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
COPY --chmod=755 shared/bin/opensearch_status.sh /data/
-COPY --chmod=755 shared/bin/opensearch_index_size_prune.py /data/
-COPY --chmod=755 shared/bin/opensearch_read_only.py /data/
ADD scripts/malcolm_utils.py /data/
RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \
diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index a9cc67d59..4d738dcfe 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -36,7 +36,7 @@ ADD https://github.com/lguillaud/osd_transform_vis/releases/download/$OSD_TRANSF
RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \
yum upgrade -y && \
- yum install -y curl-minimal psmisc findutils util-linux openssl rsync python3 zip unzip && \
+ yum install -y curl-minimal psmisc findutils util-linux jq openssl rsync python3 zip unzip && \
yum remove -y vim-* && \
usermod -a -G tty ${PUSER} && \
# Malcolm manages authentication and encryption via NGINX reverse proxy
diff --git a/Dockerfiles/dirinit.Dockerfile b/Dockerfiles/dirinit.Dockerfile
index 31d70029b..e1bf7dd92 100644
--- a/Dockerfiles/dirinit.Dockerfile
+++ b/Dockerfiles/dirinit.Dockerfile
@@ -25,7 +25,7 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
RUN apk update --no-cache && \
apk upgrade --no-cache && \
- apk --no-cache add bash psmisc rsync shadow tini && \
+ apk --no-cache add bash jq psmisc rsync shadow tini && \
addgroup -g ${DEFAULT_GID} ${PGROUP} ; \
adduser -D -H -u ${DEFAULT_UID} -h /nonexistant -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} ; \
addgroup ${PUSER} tty ; \
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index e743951a0..f3eb84547 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -100,12 +100,12 @@ ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY
ENV EXTRACTED_FILE_HTTP_SERVER_RECURSIVE $EXTRACTED_FILE_HTTP_SERVER_RECURSIVE
ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/
-COPY --chmod=777 shared/bin/capa-build.sh /usr/local/bin/
+COPY --chmod=755 shared/bin/capa-build.sh /usr/local/bin/
ADD nginx/landingpage/css "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/css"
ADD nginx/landingpage/js "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/js"
ADD --chmod=644 docs/images/logo/Malcolm_background.png "${EXTRACTED_FILE_HTTP_SERVER_ASSETS_DIR}/assets/img/bg-masthead.png"
diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile
index 150e769e6..3cabeb578 100644
--- a/Dockerfiles/file-upload.Dockerfile
+++ b/Dockerfiles/file-upload.Dockerfile
@@ -56,7 +56,7 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH
ARG STALE_UPLOAD_DELETE_MIN=360
ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
@@ -74,6 +74,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
ca-certificates \
curl \
file \
+ jq \
less \
nginx-light \
openssh-server \
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index fc2a15e76..4bed4d51e 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:8.15.2
+FROM docker.elastic.co/beats/filebeat-oss:8.15.3
# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="malcolm@inl.gov"
@@ -67,7 +67,7 @@ ARG FILEBEAT_TCP_PARSE_DROP_FIELD=""
ARG FILEBEAT_TCP_TAG="_malcolm_beats"
ARG PCAP_NODE_NAME=malcolm
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile
index b68fb6d81..c97925f3c 100644
--- a/Dockerfiles/freq.Dockerfile
+++ b/Dockerfiles/freq.Dockerfile
@@ -34,6 +34,7 @@ RUN apt-get -q update && \
apt-get -y -q --no-install-recommends upgrade && \
apt-get -y --no-install-recommends install \
curl \
+ jq \
procps \
psmisc \
python3 \
diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile
index 175a78459..3039e3f90 100644
--- a/Dockerfiles/htadmin.Dockerfile
+++ b/Dockerfiles/htadmin.Dockerfile
@@ -39,6 +39,7 @@ RUN apt-get -q update && \
apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --no-install-recommends install \
ca-certificates \
curl \
+ jq \
libmcrypt-dev \
libmcrypt4 \
make \
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 89fde5ef9..20c74da34 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.elastic.co/logstash/logstash-oss:8.15.2
+FROM docker.elastic.co/logstash/logstash-oss:8.15.3
LABEL maintainer="malcolm@inl.gov"
LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -49,6 +49,7 @@ RUN set -x && \
curl \
gettext \
git \
+ jq \
patch \
python3-setuptools \
python3-pip \
@@ -82,7 +83,6 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/
COPY --chmod=755 shared/bin/opensearch_status.sh /usr/local/bin/
COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
-COPY --chmod=755 shared/bin/manuf-oui-parse.py /usr/local/bin/
COPY --chmod=755 shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/
COPY --chmod=755 shared/bin/keystore-bootstrap.sh /usr/local/bin/
ADD logstash/maps/*.yaml /etc/
@@ -105,6 +105,7 @@ RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true"
chown --silent -R ${PUSER}:root \
/usr/share/logstash \
/logstash-persistent-queue && \
+ chmod -R o-w /usr/share/logstash && \
echo "Retrieving and parsing Wireshark manufacturer database..." && \
python3 /usr/local/bin/manuf-oui-parse.py -o /etc/vendor_macs.yaml && \
echo "Complete."
diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile
index eaeecc6ad..13287d50f 100644
--- a/Dockerfiles/netbox.Dockerfile
+++ b/Dockerfiles/netbox.Dockerfile
@@ -25,7 +25,7 @@ ENV PGROUP "ubuntu"
ENV PUSER_PRIV_DROP true
USER root
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
index 78a030676..59d192653 100644
--- a/Dockerfiles/opensearch.Dockerfile
+++ b/Dockerfiles/opensearch.Dockerfile
@@ -44,7 +44,7 @@ USER root
# Remove the performance-analyzer plugin - Reduce resources in docker image
RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/') && \
yum upgrade -y && \
- yum install -y openssl util-linux procps rsync findutils && \
+ yum install -y openssl util-linux procps jq rsync findutils && \
yum remove -y vim-* && \
/usr/share/opensearch/bin/opensearch-plugin remove opensearch-security --purge && \
/usr/share/opensearch/bin/opensearch-plugin remove opensearch-performance-analyzer --purge && \
diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile
index e90d4ce9f..062a2e94b 100644
--- a/Dockerfiles/pcap-capture.Dockerfile
+++ b/Dockerfiles/pcap-capture.Dockerfile
@@ -67,6 +67,7 @@ RUN apt-get -q update && \
apt-get install --no-install-recommends -y -q \
bc \
ethtool \
+ jq \
libcap2-bin \
netsniff-ng \
openssl \
diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile
index 8e3cd1492..1990b5ccf 100644
--- a/Dockerfiles/pcap-monitor.Dockerfile
+++ b/Dockerfiles/pcap-monitor.Dockerfile
@@ -48,6 +48,7 @@ RUN apt-get -q update && \
apt-get install --no-install-recommends -y -q \
file \
inotify-tools \
+ jq \
libzmq5 \
procps \
psmisc \
diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile
index ba401f126..e27ae3adb 100644
--- a/Dockerfiles/postgresql.Dockerfile
+++ b/Dockerfiles/postgresql.Dockerfile
@@ -28,7 +28,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
RUN apk update --no-cache && \
apk upgrade --no-cache && \
- apk add --no-cache bash procps psmisc rsync shadow tini && \
+ apk add --no-cache bash jq procps psmisc rsync shadow tini && \
apk add --no-cache --virtual .build-deps rsync && \
rsync -a /usr/local/bin/ /usr/bin/ && \
rsync -a /usr/local/share/ /usr/share/ && \
@@ -37,6 +37,7 @@ RUN apk update --no-cache && \
ln -s /usr/bin /usr/local/bin && \
ln -s /usr/share /usr/local/share && \
ln -s /usr/lib /usr/local/lib && \
+ chmod 00775 /var/lib/postgresql /var/lib/postgresql/data /run/postgresql && \
apk del .build-deps
USER root
diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile
index d67742fe3..30cd413c2 100644
--- a/Dockerfiles/redis.Dockerfile
+++ b/Dockerfiles/redis.Dockerfile
@@ -27,7 +27,7 @@ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic
RUN apk update --no-cache && \
apk upgrade --no-cache && \
- apk --no-cache add bash psmisc rsync shadow tini && \
+ apk --no-cache add bash jq psmisc rsync shadow tini && \
addgroup ${PUSER} tty
WORKDIR /home/${PUSER}
diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile
index cce710791..90ead633c 100644
--- a/Dockerfiles/suricata.Dockerfile
+++ b/Dockerfiles/suricata.Dockerfile
@@ -33,7 +33,7 @@ ENV PUSER_RLIMIT_UNLOCK true
# see PUSER_CHOWN at the bottom of the file (after the other environment variables it references)
USER root
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "/etc/crontab"
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 02b7cd3b1..0b8a82c4c 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -52,7 +52,7 @@ ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/
# custom one-off packages locally
ADD zeek/custom-pkg "$ZEEK_DIR"/custom-pkg
-ENV SUPERCRONIC_VERSION "0.2.32"
+ENV SUPERCRONIC_VERSION "0.2.33"
ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
ENV SUPERCRONIC_CRONTAB "${ZEEK_DIR}/crontab"
diff --git a/_config.yml b/_config.yml
index 646c2920f..6485fb421 100644
--- a/_config.yml
+++ b/_config.yml
@@ -1,6 +1,6 @@
repository: cisagov/Malcolm
title: Malcolm
-description: A powerful, easily deployable network traffic analysis tool suite
+description: A powerful, easily deployable network traffic analysis tool suite for network security monitoring
logo: docs/images/logo/Malcolm_outline_banner_dark.png
remote_theme: pages-themes/minimal@v0.2.0
youtube_url: https://www.youtube.com/@MalcolmNetworkTrafficAnalysis
diff --git a/api/project/__init__.py b/api/project/__init__.py
index 15748ebe9..004cc2cf2 100644
--- a/api/project/__init__.py
+++ b/api/project/__init__.py
@@ -169,6 +169,15 @@
missing_field_map['ip'] = '0.0.0.0'
missing_field_map['long'] = 0
+logstash_default_pipelines = [
+ "malcolm-beats",
+ "malcolm-enrichment",
+ "malcolm-input",
+ "malcolm-output",
+ "malcolm-suricata",
+ "malcolm-zeek",
+]
+
urllib3.disable_warnings()
warnings.filterwarnings(
"ignore",
@@ -181,9 +190,29 @@
debugApi = app.config["MALCOLM_API_DEBUG"] == "true"
-opensearchUrl = app.config["OPENSEARCH_URL"]
+arkimeHost = app.config["ARKIME_HOST"]
+arkimePort = app.config["ARKIME_PORT"]
+arkimeStatusUrl = f'https://{arkimeHost}:{arkimePort}/_ns_/nstest.html'
dashboardsUrl = app.config["DASHBOARDS_URL"]
+dashboardsHelperHost = app.config["DASHBOARDS_HELPER_HOST"]
+dashboardsMapsPort = app.config["DASHBOARDS_MAPS_PORT"]
databaseMode = malcolm_utils.DatabaseModeStrToEnum(app.config["OPENSEARCH_PRIMARY"])
+filebeatHost = app.config["FILEBEAT_HOST"]
+filebeatTcpJsonPort = app.config["FILEBEAT_TCP_JSON_PORT"]
+freqUrl = app.config["FREQ_URL"]
+logstashApiPort = app.config["LOGSTASH_API_PORT"]
+logstashHost = app.config["LOGSTASH_HOST"]
+logstashLJPort = app.config["LOGSTASH_LJ_PORT"]
+logstashMapsPort = app.config["LOGSTASH_LJ_PORT"]
+logstashUrl = f'http://{logstashHost}:{logstashApiPort}'
+netboxUrl = app.config["NETBOX_URL"]
+opensearchUrl = app.config["OPENSEARCH_URL"]
+pcapMonitorHost = app.config["PCAP_MONITOR_HOST"]
+pcapTopicPort = app.config["PCAP_TOPIC_PORT"]
+zeekExtractedFileLoggerHost = app.config["ZEEK_EXTRACTED_FILE_LOGGER_HOST"]
+zeekExtractedFileLoggerTopicPort = app.config["ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT"]
+zeekExtractedFileMonitorHost = app.config["ZEEK_EXTRACTED_FILE_MONITOR_HOST"]
+zeekExtractedFileTopicPort = app.config["ZEEK_EXTRACTED_FILE_TOPIC_PORT"]
opensearchLocal = (databaseMode == malcolm_utils.DatabaseMode.OpenSearchLocal) or (
opensearchUrl == 'http://opensearch:9200'
@@ -884,6 +913,163 @@ def version():
)
+@app.route(
+ f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/ready", methods=['GET']
+)
+def ready():
+ """Return ready status (true or false) for various Malcolm components
+
+ Parameters
+ ----------
+
+ Returns
+ -------
+ arkime
+ true or false, the ready status of Arkime
+ dashboards
+ true or false, the ready status of Dashboards (or Kibana)
+ dashboards_maps
+ true or false, the ready status of the dashboards-helper offline map server
+ filebeat_tcp
+ true or false, the ready status of Filebeat's JSON-OVER-TCP
+ freq
+ true or false, the ready status of freq
+ logstash_lumberjack
+ true or false, the ready status of Logstash's lumberjack protocol listener
+ logstash_pipelines
+ true or false, the ready status of Logstash's default pipelines
+ netbox
+ true or false, the ready status of NetBox
+ opensearch
+ true or false, the ready status of OpenSearch (or Elasticsearch)
+ pcap_monitor
+ true or false, the ready status of the PCAP monitoring process
+ zeek_extracted_file_logger
+ true or false, the ready status of the Zeek extracted file results logging process
+ zeek_extracted_file_monitor
+ true or false, the ready status of the Zeek extracted file monitoring process
+ """
+ global databaseClient
+
+ try:
+ arkimeResponse = requests.get(
+ arkimeStatusUrl,
+ verify=False,
+ )
+ arkimeResponse.raise_for_status()
+ arkimeStatus = True
+ except Exception as e:
+ arkimeStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Arkime status")
+
+ try:
+ dashboardsStatus = requests.get(
+ f'{dashboardsUrl}/api/status',
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
+ ).json()
+ except Exception as e:
+ dashboardsStatus = {}
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Dashboards status")
+
+ try:
+ dashboardsMapsStatus = malcolm_utils.check_socket(dashboardsHelperHost, dashboardsMapsPort)
+ except Exception as e:
+ dashboardsMapsStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Logstash offline map server")
+
+ try:
+ filebeatTcpJsonStatus = malcolm_utils.check_socket(filebeatHost, filebeatTcpJsonPort)
+ except Exception as e:
+ filebeatTcpJsonStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting filebeat TCP JSON listener status")
+
+ try:
+ freqResponse = requests.get(freqUrl)
+ freqResponse.raise_for_status()
+ freqStatus = True
+ except Exception as e:
+ freqStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting freq status")
+
+ try:
+ logstashStats = requests.get(f'{logstashUrl}/_node').json()
+ except Exception as e:
+ logstashStats = {}
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Logstash node status")
+
+ try:
+ logstashLJStatus = malcolm_utils.check_socket(logstashHost, logstashLJPort)
+ except Exception as e:
+ logstashLJStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Logstash lumberjack listener status")
+
+ try:
+ netboxStatus = requests.get(f'{netboxUrl}/api/status').json()
+ except Exception as e:
+ netboxStatus = {}
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting NetBox status")
+
+ try:
+ openSearchHealth = dict(databaseClient.cluster.health())
+ except Exception as e:
+ openSearchHealth = {}
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting OpenSearch health")
+
+ try:
+ pcapMonitorStatus = malcolm_utils.check_socket(pcapMonitorHost, pcapTopicPort)
+ except Exception as e:
+ pcapMonitorStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting PCAP monitor topic status")
+
+ try:
+ zeekExtractedFileMonitorStatus = malcolm_utils.check_socket(
+ zeekExtractedFileMonitorHost, zeekExtractedFileTopicPort
+ )
+ except Exception as e:
+ zeekExtractedFileMonitorStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Zeek extracted file monitor topic status")
+
+ try:
+ zeekExtractedFileLoggerStatus = malcolm_utils.check_socket(
+ zeekExtractedFileLoggerHost, zeekExtractedFileLoggerTopicPort
+ )
+ except Exception as e:
+ zeekExtractedFileLoggerStatus = False
+ if debugApi:
+ print(f"{type(e).__name__}: {str(e)} getting Zeek extracted file logger topic status")
+
+ return jsonify(
+ arkime=arkimeStatus,
+ dashboards=(malcolm_utils.deep_get(dashboardsStatus, ["status", "overall", "state"]) == "green"),
+ dashboards_maps=dashboardsMapsStatus,
+ filebeat_tcp=filebeatTcpJsonStatus,
+ freq=freqStatus,
+ logstash_lumberjack=logstashLJStatus,
+ logstash_pipelines=(malcolm_utils.deep_get(logstashStats, ["status"]) == "green")
+ and all(
+ pipeline in malcolm_utils.deep_get(logstashStats, ["pipelines"], {})
+ for pipeline in logstash_default_pipelines
+ ),
+ netbox=bool(malcolm_utils.deep_get(netboxStatus, ["netbox-version"])),
+ opensearch=(malcolm_utils.deep_get(openSearchHealth, ["status"], 'red') != "red"),
+ pcap_monitor=pcapMonitorStatus,
+ zeek_extracted_file_logger=zeekExtractedFileLoggerStatus,
+ zeek_extracted_file_monitor=zeekExtractedFileMonitorStatus,
+ )
+
+
@app.route(
f"{('/' + app.config['MALCOLM_API_PREFIX']) if app.config['MALCOLM_API_PREFIX'] else ''}/ping", methods=['GET']
)
diff --git a/api/project/config.py b/api/project/config.py
index b98ef3481..eb473637f 100644
--- a/api/project/config.py
+++ b/api/project/config.py
@@ -13,18 +13,35 @@ class Config(object):
ARKIME_NETWORK_INDEX_PATTERN = f"{os.getenv('ARKIME_NETWORK_INDEX_PATTERN', 'arkime_sessions3-*')}"
ARKIME_NETWORK_INDEX_TIME_FIELD = f"{os.getenv('ARKIME_NETWORK_INDEX_TIME_FIELD', 'firstPacket')}"
- DOCTYPE_DEFAULT = f"{os.getenv('DOCTYPE_DEFAULT', 'network')}"
+ ARKIME_HOST = f"{os.getenv('ARKIME_HOST', 'arkime')}"
+ ARKIME_PORT = int(f"{os.getenv('ARKIME_PORT', '8005')}")
BUILD_DATE = f"{os.getenv('BUILD_DATE', 'unknown')}"
DASHBOARDS_URL = f"{os.getenv('DASHBOARDS_URL', 'http://dashboards:5601/dashboards')}"
- MALCOLM_API_PREFIX = f"{os.getenv('MALCOLM_API_PREFIX', 'mapi')}"
+ DASHBOARDS_HELPER_HOST = f"{os.getenv('DASHBOARDS_HELPER_HOST', 'dashboards-helper')}"
+ DASHBOARDS_MAPS_PORT = int(f"{os.getenv('DASHBOARDS_MAPS_PORT', '28991')}")
+ DOCTYPE_DEFAULT = f"{os.getenv('DOCTYPE_DEFAULT', 'network')}"
+ FILEBEAT_HOST = f"{os.getenv('FILEBEAT_HOST', 'filebeat')}"
+ FILEBEAT_TCP_JSON_PORT = int(f"{os.getenv('FILEBEAT_TCP_JSON_PORT', '5045')}")
+ FREQ_URL = f"{os.getenv('FREQ_URL', 'http://freq:10004')}"
+ LOGSTASH_API_PORT = int(f"{os.getenv('LOGSTASH_API_PORT', '9600')}")
+ LOGSTASH_HOST = f"{os.getenv('LOGSTASH_HOST', 'logstash')}"
+ LOGSTASH_LJ_PORT = int(f"{os.getenv('LOGSTASH_LJ_PORT', '5044')}")
MALCOLM_API_DEBUG = f"{os.getenv('MALCOLM_API_DEBUG', 'false')}"
+ MALCOLM_API_PREFIX = f"{os.getenv('MALCOLM_API_PREFIX', 'mapi')}"
MALCOLM_TEMPLATE = f"{os.getenv('MALCOLM_TEMPLATE', 'malcolm_template')}"
MALCOLM_VERSION = f"{os.getenv('MALCOLM_VERSION', 'unknown')}"
- OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}"
- OPENSEARCH_PRIMARY = f"{os.getenv('OPENSEARCH_PRIMARY', 'opensearch-local')}"
- OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}"
+ NETBOX_URL = f"{os.getenv('NETBOX_URL', 'http://netbox:8080/netbox')}"
OPENSEARCH_CREDS_CONFIG_FILE = (
f"{os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/curlrc/.opensearch.primary.curlrc')}"
)
+ OPENSEARCH_PRIMARY = f"{os.getenv('OPENSEARCH_PRIMARY', 'opensearch-local')}"
+ OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}"
+ OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}"
+ PCAP_MONITOR_HOST = f"{os.getenv('PCAP_MONITOR_HOST', 'pcap-monitor')}"
+ PCAP_TOPIC_PORT = int(f"{os.getenv('PCAP_TOPIC_PORT', '30441')}")
RESULT_SET_LIMIT = int(f"{os.getenv('RESULT_SET_LIMIT', '500')}")
VCS_REVISION = f"{os.getenv('VCS_REVISION', 'unknown')}"
+ ZEEK_EXTRACTED_FILE_LOGGER_HOST = f"{os.getenv('ZEEK_EXTRACTED_FILE_LOGGER_HOST', 'file-monitor')}"
+ ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT = int(f"{os.getenv('ZEEK_EXTRACTED_FILE_LOGGER_TOPIC_PORT', '5988')}")
+ ZEEK_EXTRACTED_FILE_MONITOR_HOST = f"{os.getenv('ZEEK_EXTRACTED_FILE_MONITOR_HOST', 'file-monitor')}"
+ ZEEK_EXTRACTED_FILE_TOPIC_PORT = int(f"{os.getenv('ZEEK_EXTRACTED_FILE_TOPIC_PORT', '5987')}")
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
index 4a5ad775c..78c93ac50 100644
--- a/arkime/etc/config.ini
+++ b/arkime/etc/config.ini
@@ -2669,6 +2669,16 @@ zeek.tftp.wrq=db:zeek.tftp.wrq;group:zeek_tftp;kind:termfield;viewerOnly:true;fr
zeek.tunnel.tunnel_type=db:zeek.tunnel.tunnel_type;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Tunnel Type;help:Tunnel Type
zeek.tunnel.action=db:zeek.tunnel.action;group:zeek_tunnel;kind:termfield;viewerOnly:true;friendly:Action;help:Action
+# websocket.log
+# https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info
+zeek.websocket.host=db:zeek.websocket.host;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Host;help:Websocket Host
+zeek.websocket.uri=db:zeek.websocket.uri;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket URI;help:Websocket URI
+zeek.websocket.user_agent=db:zeek.websocket.user_agent;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket User Agent;help:Websocket User Agent
+zeek.websocket.subprotocol=db:zeek.websocket.subprotocol;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Subprotocol;help:Websocket Subprotocol
+zeek.websocket.client_protocols=db:zeek.websocket.client_protocols;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Protocol;help:Websocket Client Protocol
+zeek.websocket.server_extensions=db:zeek.websocket.server_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Server Extension;help:Websocket Server Extension
+zeek.websocket.client_extensions=db:zeek.websocket.client_extensions;group:zeek_websocket;kind:termfield;viewerOnly:true;friendly:Websocket Client Extension;help:Websocket Client Extension
+
# weird.log
# https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
zeek.weird.addl=db:zeek.weird.addl;group:zeek_weird;kind:termfield;viewerOnly:true;friendly:Additional Info;help:Additional Info
@@ -3395,6 +3405,7 @@ o_zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.p
o_zeek_tds_sql_batch=require:zeek.tds_sql_batch;title:Zeek tds_sql_batch.log;fields:zeek.tds_sql_batch.header_type,zeek.tds_sql_batch.query
o_zeek_tftp=require:zeek.tftp;title:Zeek tftp.log;fields:zeek.tftp.block_acked,zeek.tftp.block_sent,zeek.tftp.error_code,zeek.tftp.error_msg,zeek.tftp.fname,zeek.tftp.mode,zeek.tftp.size,zeek.tftp.uid_data,zeek.tftp.wrq
o_zeek_tunnel=require:zeek.tunnel;title:Zeek tunnel.log;fields:zeek.tunnel.tunnel_type,zeek.tunnel.action
+o_zeek_websocket=require:zeek.websocket;title:Zeek websocket.log;fields:zeek.websocket.host,zeek.websocket.uri,zeek.websocket.user_agent,zeek.websocket.subprotocol,zeek.websocket.client_protocols,zeek.websocket.server_extensions,zeek.websocket.client_extensions
o_zeek_weird=require:zeek.weird;title:Zeek weird.log;fields:rule.name,zeek.weird.addl,zeek.weird.notice,zeek.weird.source
o_zeek_wireguard=require:zeek.wireguard;title:Zeek wireguard.log;fields:zeek.wireguard.established,zeek.wireguard.initiations,zeek.wireguard.responses
o_zeek_x509=require:zeek.x509;title:Zeek x509.log;fields:zeek.x509.certificate_version,zeek.x509.certificate_serial,zeek.x509.certificate_subject.CN,zeek.x509.certificate_subject.C,zeek.x509.certificate_subject.O,zeek.x509.certificate_subject.OU,zeek.x509.certificate_subject.ST,zeek.x509.certificate_subject.SN,zeek.x509.certificate_subject.L,zeek.x509.certificate_subject.DC,zeek.x509.certificate_subject.GN,zeek.x509.certificate_subject.pseudonym,zeek.x509.certificate_subject.serialNumber,zeek.x509.certificate_subject.title,zeek.x509.certificate_subject.initials,zeek.x509.certificate_subject.emailAddress,zeek.x509.certificate_subject.description,zeek.x509.certificate_subject.postalCode,zeek.x509.certificate_subject.street,zeek.x509.certificate_issuer.CN,zeek.x509.certificate_issuer.DC,zeek.x509.certificate_issuer.C,zeek.x509.certificate_issuer.O,zeek.x509.certificate_issuer.OU,zeek.x509.certificate_issuer.ST,zeek.x509.certificate_issuer.SN,zeek.x509.certificate_issuer.L,zeek.x509.certificate_issuer.GN,zeek.x509.certificate_issuer.pseudonym,zeek.x509.certificate_issuer.serialNumber,zeek.x509.certificate_issuer.title,zeek.x509.certificate_issuer.initials,zeek.x509.certificate_issuer.emailAddress,zeek.x509.certificate_not_valid_before,zeek.x509.certificate_not_valid_after,zeek.x509.certificate_key_alg,zeek.x509.certificate_sig_alg,zeek.x509.certificate_key_type,zeek.x509.certificate_key_length,zeek.x509.certificate_exponent,zeek.x509.certificate_curve,zeek.x509.client_cert,zeek.x509.fingerprint,zeek.x509.host_cert,zeek.x509.san_dns,zeek.x509.san_uri,zeek.x509.san_email,zeek.x509.san_ip,zeek.x509.basic_constraints_ca,zeek.x509.basic_constraints_path_len
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index 61d78ac52..b4ddff5eb 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -2780,6 +2780,13 @@ class MalcolmSource extends WISESource {
"zeek.tunnel.action",
"zeek.tunnel.tunnel_type",
"zeek.uid",
+ "zeek.websocket.host",
+ "zeek.websocket.uri",
+ "zeek.websocket.user_agent",
+ "zeek.websocket.subprotocol",
+ "zeek.websocket.client_protocols",
+ "zeek.websocket.server_extensions",
+ "zeek.websocket.client_extensions",
"zeek.weird.addl",
"zeek.weird.notice",
"zeek.weird.source",
diff --git a/config/zeek.env.example b/config/zeek.env.example
index cc87221e6..6434eba1a 100644
--- a/config/zeek.env.example
+++ b/config/zeek.env.example
@@ -62,6 +62,8 @@ EXTRACTED_FILE_HTTP_SERVER_ZIP=false
EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
# HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
+# Adjust how often the JA4SSH hash is calculated
+ZEEK_JA4SSH_PACKET_COUNT=200
# Environment variables for tweaking Zeek at runtime (see local.zeek)
# Set to true to disable the corresponding feature
ZEEK_DISABLE_HASH_ALL_FILES=
@@ -96,4 +98,4 @@ ZEEK_SYNCHROPHASOR_PORTS=
ZEEK_SYNCHROPHASOR_DETAILED=
ZEEK_GENISYS_PORTS=
ZEEK_ENIP_PORTS=
-ZEEK_DISABLE_BEST_GUESS_ICS=true
\ No newline at end of file
+ZEEK_DISABLE_BEST_GUESS_ICS=true
diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
index e434649ee..1b8548b27 100644
--- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
+++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
@@ -112,7 +112,7 @@
"version": "Wzc0MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
index 50001dea6..7e1c6df4a 100644
--- a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
+++ b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
@@ -87,7 +87,7 @@
"version": "Wzc5NSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
index cab9dbd70..4359662f0 100644
--- a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
+++ b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
@@ -92,7 +92,7 @@
"version": "Wzg3OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
index 28b70ce36..b886de969 100644
--- a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
+++ b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
index 27db8f8a9..f99475f9f 100644
--- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
+++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
@@ -87,7 +87,7 @@
"version": "WzkzNiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
index 161be0c69..54a52681f 100644
--- a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
+++ b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
@@ -87,7 +87,7 @@
"version": "Wzc5NSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
index ab4e6e4b2..cff8454a3 100644
--- a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
+++ b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
index e977131e7..39609ea04 100644
--- a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
+++ b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
@@ -107,7 +107,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
index a6fd63905..4e143685b 100644
--- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
+++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
@@ -82,7 +82,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
index 2e2f64890..1a15e9b7b 100644
--- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
+++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
index d3336dc49..44a0e8231 100644
--- a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
+++ b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
@@ -82,7 +82,7 @@
"version": "Wzc1NSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
index 326d68591..9d29d5d34 100644
--- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
+++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -127,7 +127,7 @@
"version": "Wzg1NywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
index 2317d148d..fcd8b6a6a 100644
--- a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
+++ b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
@@ -92,7 +92,7 @@
"version": "WzkzNiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
index 24ae0643e..1fe910058 100644
--- a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
index 6750c90bd..81517ff8a 100644
--- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
+++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
@@ -72,7 +72,7 @@
"version": "Wzc4NCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
index 55b56a2b0..5b36aced7 100644
--- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
@@ -112,7 +112,7 @@
"version": "Wzg2MCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
index 3789273ac..990a0956d 100644
--- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
@@ -122,7 +122,7 @@
"version": "Wzg2MCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json
index 95d2e37df..fc0d3c29d 100644
--- a/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json
+++ b/dashboards/dashboards/2cc56240-e460-11ed-a9d5-9f591c284cb4.json
@@ -122,7 +122,7 @@
"version": "Wzg0OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
index 23bd223d4..d2f40a6ca 100644
--- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
+++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
@@ -107,7 +107,7 @@
"version": "Wzg3OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
index 63f13a019..eb0c70932 100644
--- a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
+++ b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
@@ -117,7 +117,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
index e19515bff..bcd6b5ee6 100644
--- a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
@@ -72,7 +72,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
index 1485445a6..d55123c06 100644
--- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
+++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
@@ -97,7 +97,7 @@
"version": "Wzc2OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
index 0386519c9..da2caaa25 100644
--- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
+++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
@@ -127,7 +127,7 @@
"version": "Wzg1OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
index e4d6458b2..92a846722 100644
--- a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json
index 73d1d4cf9..d09bf994f 100644
--- a/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json
+++ b/dashboards/dashboards/3a9e3440-75e2-11ef-8138-03748f839a49.json
@@ -162,7 +162,7 @@
"version": "WzkxNywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
index 72326fc58..9825403ca 100644
--- a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
+++ b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
@@ -102,7 +102,7 @@
"version": "WzkzNywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
index a48786060..e534438e4 100644
--- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
+++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
@@ -97,7 +97,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
index 38480910d..ef5d30e15 100644
--- a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
+++ b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
@@ -82,7 +82,7 @@
"version": "Wzg4MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
index a0a2eae4a..afec24b5a 100644
--- a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
+++ b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
@@ -97,7 +97,7 @@
"version": "Wzg4OCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
index ac154935b..02da0c856 100644
--- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
+++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
@@ -87,7 +87,7 @@
"version": "Wzg1OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
index d5fd80bc8..bb9b463df 100644
--- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
+++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
@@ -97,7 +97,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
index 5f4c65802..20b1f3a71 100644
--- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
+++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
@@ -97,7 +97,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
index acdbf661c..b6adfbceb 100644
--- a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -47,7 +47,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
index b5565607e..93985be75 100644
--- a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
+++ b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
@@ -97,7 +97,7 @@
"version": "Wzg2MSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
index 3198f0e9e..caecd428f 100644
--- a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
+++ b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
index 95f464233..5980f5917 100644
--- a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
+++ b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
@@ -77,7 +77,7 @@
"version": "Wzc4NCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
index f271925b6..06a3088ab 100644
--- a/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
+++ b/dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
@@ -122,7 +122,7 @@
"version": "Wzg4NywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
index b58dd7b02..a1d23dd8a 100644
--- a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
+++ b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
@@ -82,7 +82,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
index 43509ff54..023608ba5 100644
--- a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
index 462e488b4..04ddf68dd 100644
--- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
+++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
@@ -92,7 +92,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
index 595d4f9cd..218212ed9 100644
--- a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
+++ b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
@@ -117,7 +117,7 @@
"version": "Wzg1OCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
index c26c0d9f5..ebac43e5f 100644
--- a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
+++ b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
@@ -107,7 +107,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
index 94994fe52..f3b7887fc 100644
--- a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
+++ b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
@@ -102,7 +102,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
index c339ed35c..69104c4cf 100644
--- a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
+++ b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
@@ -92,7 +92,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
index d339fb53a..5c20800ed 100644
--- a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
+++ b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
@@ -62,7 +62,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json
index cd9be901f..790ca8f43 100644
--- a/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json
+++ b/dashboards/dashboards/89d1cc50-974c-11ed-bb6b-3fb06c879b11.json
@@ -102,7 +102,7 @@
"version": "WzgzNywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
index 374bb560d..91f8cee9e 100644
--- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
+++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
index 8ede6bef5..73c8287de 100644
--- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
+++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
@@ -102,7 +102,7 @@
"version": "Wzg1NywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
index 78474a3b9..085de5b44 100644
--- a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
+++ b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
@@ -122,7 +122,7 @@
"version": "Wzg2MCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
index 8d25b5a6b..3e476026e 100644
--- a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
index 3495f67eb..2bb2faa17 100644
--- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
+++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
@@ -82,7 +82,7 @@
"version": "Wzg1OSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
index 2a94b378b..a32c7a731 100644
--- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
@@ -87,7 +87,7 @@
"version": "Wzg2MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
index 8db78e921..70e3f286d 100644
--- a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
+++ b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
@@ -167,7 +167,7 @@
"version": "Wzc4NiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
index 91aca6cf2..b04cb2712 100644
--- a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
+++ b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
@@ -87,7 +87,7 @@
"version": "WzkzNywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
index 0eeab6b94..a334a8d2d 100644
--- a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
+++ b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
@@ -87,7 +87,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
index 6ba462415..d0b14ce92 100644
--- a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
+++ b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json
new file mode 100644
index 000000000..5bbbde47e
--- /dev/null
+++ b/dashboards/dashboards/b8cf5890-87ed-11ef-ae18-dbcd34795edb.json
@@ -0,0 +1,421 @@
+{
+ "version": "2.17.1",
+ "objects": [
+ {
+ "id": "b8cf5890-87ed-11ef-ae18-dbcd34795edb",
+ "type": "dashboard",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T17:02:30.091Z",
+ "version": "WzEwNzAsMV0=",
+ "attributes": {
+ "title": "WebSocket",
+ "hits": 0,
+ "description": "",
+ "panelsJSON": "[{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":30,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":10,\"i\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\"},\"panelIndex\":\"96fb92c4-8fee-4b32-8e65-f115368a3686\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":10,\"i\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\"},\"panelIndex\":\"8e99a0d5-1955-4263-aa3b-3b07b968e5be\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":8,\"y\":10,\"w\":9,\"h\":20,\"i\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\"},\"panelIndex\":\"4a7d9663-6af5-4579-8273-cbf14ee2361f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":17,\"y\":10,\"w\":11,\"h\":20,\"i\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\"},\"panelIndex\":\"32fc8c0d-5c67-4488-b05c-7a3676194673\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":28,\"y\":10,\"w\":10,\"h\":20,\"i\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\"},\"panelIndex\":\"a1be25ce-d4f3-48ae-b3a5-2f8a1d32bc1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":38,\"y\":10,\"w\":10,\"h\":20,\"i\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\"},\"panelIndex\":\"fa514b51-405f-4f2f-a375-ca24ae77481c\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":20,\"i\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\"},\"panelIndex\":\"4f37a284-5d04-4d97-a27f-36826d134a6f\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":40,\"i\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\"},\"panelIndex\":\"a2ce753a-13c8-4c13-8782-498e57c63d98\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":50,\"w\":24,\"h\":20,\"i\":\"c7377072-c314-4e11-b024-e8214b88df52\"},\"panelIndex\":\"c7377072-c314-4e11-b024-e8214b88df52\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.17.1\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":31,\"i\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\"},\"panelIndex\":\"fc52ef3e-1957-41e3-a0a2-5449a4a14739\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"}]",
+ "optionsJSON": "{\"useMargins\":true}",
+ "version": 1,
+ "timeRestore": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"
+ }
+ },
+ "references": [
+ {
+ "name": "panel_0",
+ "type": "visualization",
+ "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
+ },
+ {
+ "name": "panel_1",
+ "type": "visualization",
+ "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_2",
+ "type": "visualization",
+ "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_3",
+ "type": "visualization",
+ "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_4",
+ "type": "visualization",
+ "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_5",
+ "type": "visualization",
+ "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_6",
+ "type": "visualization",
+ "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_7",
+ "type": "visualization",
+ "id": "f6560220-87ef-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_8",
+ "type": "visualization",
+ "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_9",
+ "type": "visualization",
+ "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb"
+ },
+ {
+ "name": "panel_10",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "dashboard": "7.9.3"
+ }
+ },
+ {
+ "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:19:29.056Z",
+ "version": "WzkxNywxXQ==",
+ "attributes": {
+ "title": "Navigation",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+ }
+ },
+ "references": [],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "8ad18d90-87ee-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:33:27.273Z",
+ "version": "WzEwNTQsMV0=",
+ "attributes": {
+ "title": "WebSocket - Log Count",
+ "visState": "{\"title\":\"WebSocket - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "f2ef4cf0-87ee-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:36:21.951Z",
+ "version": "WzEwNTYsMV0=",
+ "attributes": {
+ "title": "WebSocket - Logs Over Time",
+ "visState": "{\"title\":\"WebSocket - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"timeRange\":{\"from\":\"2020-09-22T13:59:01.098Z\",\"to\":\"2021-09-08T03:14:05.363Z\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "16f1e5e0-87ef-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:37:22.366Z",
+ "version": "WzEwNTgsMV0=",
+ "attributes": {
+ "title": "WebSocket - Source IP",
+ "visState": "{\"title\":\"WebSocket - Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "45abdf80-87ef-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:38:40.760Z",
+ "version": "WzEwNTksMV0=",
+ "attributes": {
+ "title": "WebSocket - Destination IP",
+ "visState": "{\"title\":\"WebSocket - Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "4fb477b0-87f1-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:53:50.300Z",
+ "version": "WzEwNjYsMV0=",
+ "attributes": {
+ "title": "WebSocket - Client Extensions",
+ "visState": "{\"title\":\"WebSocket - Client Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "46127ea0-87f1-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:53:00.426Z",
+ "version": "WzEwNjQsMV0=",
+ "attributes": {
+ "title": "WebSocket - Server Extensions",
+ "visState": "{\"title\":\"WebSocket - Server Extensions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.server_extensions\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"-\",\"customLabel\":\"Server Extensions\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "f6560220-87ef-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:46:03.481Z",
+ "version": "WzEwNjMsMV0=",
+ "attributes": {
+ "title": "WebSocket - Protocols",
+ "visState": "{\"title\":\"WebSocket - Protocols\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.subprotocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Subprotocol\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.websocket.client_protocols\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Client Protocol\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"zeek.websocket.subprotocol:* OR zeek.websocket.client_protocol:*\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "95bbefb0-87ef-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:40:55.083Z",
+ "version": "WzEwNjAsMV0=",
+ "attributes": {
+ "title": "WebSocket - User Agent Name",
+ "visState": "{\"title\":\"WebSocket - User Agent Name\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"User Agent Name\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "0ba78ca0-87f2-11ef-ae18-dbcd34795edb",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T17:02:11.630Z",
+ "version": "WzEwNjksMV0=",
+ "attributes": {
+ "title": "WebSocket - URI",
+ "visState": "{\"title\":\"WebSocket - URI\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"user_agent.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.hosts\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Host\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"url.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"URI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":5,\"direction\":\"desc\"}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "60aa8990-87ee-11ef-ae18-dbcd34795edb",
+ "type": "search",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2024-10-11T16:32:16.552Z",
+ "version": "WzEwNTMsMV0=",
+ "attributes": {
+ "title": "WebSocket - Logs",
+ "description": "",
+ "hits": 0,
+ "columns": [
+ "source.ip",
+ "destination.ip",
+ "destination.port",
+ "related.hosts",
+ "url.original",
+ "user_agent.original",
+ "zeek.websocket.subprotocol",
+ "zeek.websocket.client_protocols",
+ "zeek.websocket.client_extensions",
+ "zeek.websocket.server_extensions",
+ "event.id"
+ ],
+ "sort": [],
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:websocket\",\"language\":\"kuery\"},\"highlightAll\":false,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"MALCOLM_NETWORK_INDEX_TIME_FIELD_REPLACER\",\"fixed_interval\":\"30d\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "MALCOLM_NETWORK_INDEX_PATTERN_REPLACER"
+ }
+ ],
+ "migrationVersion": {
+ "search": "7.9.3"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
index 198595474..5a2a6ba77 100644
--- a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
index 1d94d12a9..33a318225 100644
--- a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
+++ b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
@@ -107,7 +107,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
index e5c206731..fc1d849b4 100644
--- a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
@@ -72,7 +72,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
index b793a3092..04ce976bd 100644
--- a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
+++ b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
@@ -82,7 +82,7 @@
"version": "WzY5MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
index bdafb1f1e..539aa8471 100644
--- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
+++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
@@ -77,7 +77,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
index b6215b367..43542d1b8 100644
--- a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
+++ b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
@@ -92,7 +92,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
index 84da7d3be..cc018dc9c 100644
--- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
+++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
@@ -102,7 +102,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
index d0b785710..2d4747a48 100644
--- a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
+++ b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
@@ -112,7 +112,7 @@
"version": "WzczOSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
index 13b9588c5..f81e16734 100644
--- a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
index f203dc194..0d71c4bfd 100644
--- a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
+++ b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
index 816986635..58a136fa4 100644
--- a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
+++ b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
@@ -107,7 +107,7 @@
"version": "WzgzOCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
index 57fd769eb..46b24e2fe 100644
--- a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
+++ b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json
index 082c58868..10c215df4 100644
--- a/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json
+++ b/dashboards/dashboards/e233a570-45d9-11ef-96a6-432365601033.json
@@ -127,7 +127,7 @@
"version": "Wzg3NywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
index ecfd7f99d..128be831c 100644
--- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
@@ -97,7 +97,7 @@
"version": "Wzg2MCwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
index e5fe54a1a..c4f0415d5 100644
--- a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
@@ -47,7 +47,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
index 6479af002..20b6d2d85 100644
--- a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
+++ b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
@@ -137,7 +137,7 @@
"version": "Wzg2MSwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
index 1bb8e62d1..2c6e42db1 100644
--- a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
+++ b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
@@ -57,7 +57,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
index e3aaae309..d12be8426 100644
--- a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
+++ b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
@@ -102,7 +102,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
index 917cc227e..079fc82ff 100644
--- a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
@@ -77,7 +77,7 @@
"version": "Wzg3MiwxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
index a5193063e..1b9d541f7 100644
--- a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
+++ b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
@@ -102,7 +102,7 @@
"version": "WzkzNywxXQ==",
"attributes": {
"title": "Navigation",
- "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General Network Logs\\n[Overview](#/dashboard/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](#/dashboard/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](#/dashboard/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](#/dashboard/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](#/dashboard/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](#/dashboard/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](#/dashboard/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](#/dashboard/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](#/dashboard/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Known Summary](#/dashboard/89d1cc50-974c-11ed-bb6b-3fb06c879b11) \\n[Zeek Intelligence](#/dashboard/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](#/dashboard/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](#/dashboard/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](#/dashboard/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](#/dashboard/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[Asset Interaction Analysis](#/dashboard/677ee170-809e-11ed-8d5b-07069f823b6f) \\n[↪ NetBox](/netbox/) \\n[↪ Arkime](/arkime/) \\n\\n### Common Protocols\\n[DCE/RPC](#/dashboard/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](#/dashboard/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](#/dashboard/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](#/dashboard/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](#/dashboard/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](#/dashboard/37041ee1-79c0-4684-a436-3173b0e89876) / [WebSocket](#/dashboard/b8cf5890-87ed-11ef-ae18-dbcd34795edb) ● [IRC](#/dashboard/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](#/dashboard/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](#/dashboard/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](#/dashboard/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](#/dashboard/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](#/dashboard/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](#/dashboard/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](#/dashboard/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](#/dashboard/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](#/dashboard/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](#/dashboard/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](#/dashboard/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](#/dashboard/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](#/dashboard/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](#/dashboard/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](#/dashboard/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](#/dashboard/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](#/dashboard/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](#/dashboard/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](#/dashboard/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](#/dashboard/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](#/dashboard/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](#/dashboard/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](#/dashboard/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](#/dashboard/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](#/dashboard/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](#/dashboard/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](#/dashboard/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](#/dashboard/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](#/dashboard/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](#/dashboard/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](#/dashboard/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [GE SRTP](#/dashboard/e233a570-45d9-11ef-96a6-432365601033) ● [HART-IP](#/dashboard/3a9e3440-75e2-11ef-8138-03748f839a49) ● [Modbus](#/dashboard/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](#/dashboard/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](#/dashboard/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](#/dashboard/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Synchrophasor](#/dashboard/2cc56240-e460-11ed-a9d5-9f591c284cb4) ● [Best Guess](#/dashboard/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\\n\\n### Malcolm and Third-Party Logs\\n\\nResources: [System Overview](#/dashboard/Metricbeat-system-overview-ecs) / [Host Overview](#/dashboard/79ffd6e0-faa0-11e6-947f-177f697178b8-ecs) ● [Hardware Temperature](#/dashboard/0d4955f0-eb25-11ec-a6d4-b3526526c2c7) ● nginx [Overview](#/dashboard/55a9e6e0-a29e-11e7-928f-5dbe6f6f5519-ecs) / [Access and Error Logs](#/dashboard/046212a0-a2a1-11e7-928f-5dbe6f6f5519-ecs) ● Linux [Journald](#/dashboard/f6600310-9943-11ee-a029-e973f4774355) / [Kernel Messages](#/dashboard/3768ef70-d819-11ee-820d-dd9fd73a3921) ● [Windows Events](#/dashboard/79202ee0-d811-11ee-820d-dd9fd73a3921) ● [Malcolm Sensor File Integrity](#/dashboard/903f42c0-f634-11ec-828d-2fb7a4a26e1f) ● [Malcolm Sensor Audit Logs](#/dashboard/7a7e0a60-e8e8-11ec-b9d4-4569bb965430) ● [Packet Capture Statistics](#/dashboard/4ca94c70-d7da-11ee-9ed3-e7afff29e59a)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
diff --git a/shared/bin/opensearch_index_size_prune.py b/dashboards/scripts/opensearch_index_size_prune.py
similarity index 100%
rename from shared/bin/opensearch_index_size_prune.py
rename to dashboards/scripts/opensearch_index_size_prune.py
diff --git a/shared/bin/opensearch_read_only.py b/dashboards/scripts/opensearch_read_only.py
similarity index 100%
rename from shared/bin/opensearch_read_only.py
rename to dashboards/scripts/opensearch_read_only.py
diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh
index 8f150b5da..bc966504f 100755
--- a/dashboards/scripts/shared-object-creation.sh
+++ b/dashboards/scripts/shared-object-creation.sh
@@ -447,6 +447,14 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then
echo "Creating $DATASTORE_TYPE anomaly detectors..."
+ # If the detectors have never been started before, we need to import the "dummy" one,
+ # but only this first time, not on subsequent runs of this script. We can do that
+ # by checking for the existence of the .opendistro-anomaly-detection-state index.
+ curl "${CURL_CONFIG_PARAMS[@]}" --head --location --fail --silent --output /dev/null \
+ "$OPENSEARCH_URL_TO_USE"/.opendistro-anomaly-detection-state && \
+ DETECTORS_STARTED=1 || \
+ DETECTORS_STARTED=0
+
# Create anomaly detectors here
ANOMALY_IMPORT_DIR="$(mktemp -d -t anomaly-XXXXXX)"
rsync -a /opt/anomaly_detectors/ "$ANOMALY_IMPORT_DIR"/
@@ -470,41 +478,46 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then
# if the file to import is newer than the existing anomaly detector, then update it
if (( $DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME )); then
- [[ "$DETECTOR_NAME" != "$DUMMY_DETECTOR_NAME" ]] && \
- echo "Importing detector \"${DETECTOR_NAME}\" ($DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME) ..."
- curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
- -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" \
- -H "$XSRF_HEADER:true" -H 'Content-type:application/json' \
- -d "@$i"
+
+ # Import the anomaly detector
+ ( [[ $DETECTORS_STARTED == 0 ]] || [[ "$DETECTOR_NAME" != "$DUMMY_DETECTOR_NAME" ]] ) && \
+ echo "Importing detector \"${DETECTOR_NAME}\" ($DETECTOR_NEW_UPDATE_TIME > $DETECTOR_EXISTING_UPDATE_TIME) ..." && \
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
+ -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" \
+ -H "$XSRF_HEADER:true" -H 'Content-type:application/json' \
+ -d "@$i"
fi
done
rm -rf "${ANOMALY_IMPORT_DIR}"
- # trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created
+ # Trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created
# see:
# - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/109
# - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/155
# - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/156
# - https://discuss.opendistrocommunity.dev/t/errors-opening-anomaly-detection-plugin-for-dashboards-after-creation-via-api/7711
- set +e
- DUMMY_DETECTOR_ID=""
- until [[ -n "$DUMMY_DETECTOR_ID" ]]; do
- sleep 5
- DUMMY_DETECTOR_ID="$(curl "${CURL_CONFIG_PARAMS[@]}" --location --fail --silent -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/_search" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')"
- done
- set -e
- if [[ -n "$DUMMY_DETECTOR_ID" ]]; then
- curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error -XPOST \
- "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" \
- -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
- sleep 10
- curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
- -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" \
- -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
- sleep 10
- curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
- -XDELETE "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" \
- -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
+ if [[ $DETECTORS_STARTED == 0 ]]; then
+ set +e
+ DUMMY_DETECTOR_ID=""
+ until [[ -n "$DUMMY_DETECTOR_ID" ]]; do
+ sleep 5
+ DUMMY_DETECTOR_ID="$(curl "${CURL_CONFIG_PARAMS[@]}" --location --fail --silent -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/_search" -H "$XSRF_HEADER:true" -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')"
+ done
+ set -e
+ if [[ -n "$DUMMY_DETECTOR_ID" ]]; then
+ echo "Starting $DUMMY_DETECTOR_NAME to initialize anomaly detector engine..."
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error -XPOST \
+ "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" \
+ -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
+ sleep 10
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
+ -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" \
+ -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
+ sleep 10
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \
+ -XDELETE "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" \
+ -H "$XSRF_HEADER:true" -H 'Content-type:application/json'
+ fi
fi
echo "$DATASTORE_TYPE anomaly detectors creation complete!"
diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json
index 1c8b30860..83b43e30e 100644
--- a/dashboards/templates/composable/component/zeek.json
+++ b/dashboards/templates/composable/component/zeek.json
@@ -611,6 +611,13 @@
"zeek.tunnel.action": { "type": "keyword" },
"zeek.tunnel.tunnel_type": { "type": "keyword" },
"zeek.uid": { "type": "keyword" },
+ "zeek.websocket.host": { "type": "keyword" },
+ "zeek.websocket.uri": { "type": "keyword", "ignore_above": 16384, "fields": { "text": { "type": "text" } } },
+ "zeek.websocket.user_agent": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
+ "zeek.websocket.subprotocol": { "type": "keyword" },
+ "zeek.websocket.client_protocols": { "type": "keyword" },
+ "zeek.websocket.server_extensions": { "type": "keyword" },
+ "zeek.websocket.client_extensions": { "type": "keyword" },
"zeek.weird.addl": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.weird.notice": { "type": "keyword" },
"zeek.weird.source": { "type": "keyword" },
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 845c98cf2..bada0e073 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -5,7 +5,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/opensearch.Dockerfile
- image: ghcr.io/idaholab/malcolm/opensearch:24.10.0
+ image: ghcr.io/idaholab/malcolm/opensearch:24.10.1
# Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
# OPENSEARCH_PRIMARY will be set to remote, which means the container will
# start but not actually run OpenSearch. It's included in both profiles to
@@ -83,7 +83,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/dashboards-helper.Dockerfile
- image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -137,7 +137,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/dashboards.Dockerfile
- image: ghcr.io/idaholab/malcolm/dashboards:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -184,7 +184,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/logstash.Dockerfile
- image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -299,7 +299,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/filebeat.Dockerfile
- image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -376,7 +376,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/arkime.Dockerfile
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -462,7 +462,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/arkime.Dockerfile
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -547,7 +547,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/zeek.Dockerfile
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -620,7 +620,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/zeek.Dockerfile
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -685,7 +685,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/suricata.Dockerfile
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -745,7 +745,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/suricata.Dockerfile
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -803,7 +803,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/file-monitor.Dockerfile
- image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -859,7 +859,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/pcap-capture.Dockerfile
- image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -906,7 +906,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/pcap-monitor.Dockerfile
- image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -961,7 +961,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/file-upload.Dockerfile
- image: ghcr.io/idaholab/malcolm/file-upload:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-upload:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1003,7 +1003,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: ghcr.io/idaholab/malcolm/htadmin:24.10.0
+ image: ghcr.io/idaholab/malcolm/htadmin:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1056,7 +1056,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: ghcr.io/idaholab/malcolm/freq:24.10.0
+ image: ghcr.io/idaholab/malcolm/freq:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1094,7 +1094,7 @@ services:
retries: 3
start_period: 60s
netbox:
- image: ghcr.io/idaholab/malcolm/netbox:24.10.0
+ image: ghcr.io/idaholab/malcolm/netbox:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1161,7 +1161,7 @@ services:
retries: 3
start_period: 120s
netbox-postgres:
- image: ghcr.io/idaholab/malcolm/postgresql:24.10.0
+ image: ghcr.io/idaholab/malcolm/postgresql:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1205,7 +1205,7 @@ services:
retries: 3
start_period: 45s
netbox-redis:
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1253,7 +1253,7 @@ services:
retries: 3
start_period: 45s
netbox-redis-cache:
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1296,7 +1296,7 @@ services:
retries: 3
start_period: 45s
api:
- image: ghcr.io/idaholab/malcolm/api:24.10.0
+ image: ghcr.io/idaholab/malcolm/api:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1318,6 +1318,7 @@ services:
env_file:
- ./config/process.env
- ./config/ssl.env
+ - ./config/upload-common.env
- ./config/dashboards.env
- ./config/opensearch.env
environment:
@@ -1345,7 +1346,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/nginx.Dockerfile
- image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0
+ image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
diff --git a/docker-compose.yml b/docker-compose.yml
index b2260d162..8bfaae622 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,7 @@
services:
opensearch:
- image: ghcr.io/idaholab/malcolm/opensearch:24.10.0
+ image: ghcr.io/idaholab/malcolm/opensearch:24.10.1
# Technically the "hedgehog" profile doesn't have OpenSearch, but in that case
# OPENSEARCH_PRIMARY will be set to remote, which means the container will
# start but not actually run OpenSearch. It's included in both profiles to
@@ -77,7 +77,7 @@ services:
retries: 3
start_period: 180s
dashboards-helper:
- image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -128,7 +128,7 @@ services:
retries: 3
start_period: 30s
dashboards:
- image: ghcr.io/idaholab/malcolm/dashboards:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -172,7 +172,7 @@ services:
retries: 3
start_period: 210s
logstash:
- image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -260,7 +260,7 @@ services:
retries: 3
start_period: 600s
filebeat:
- image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -334,7 +334,7 @@ services:
retries: 3
start_period: 60s
arkime:
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -399,7 +399,7 @@ services:
retries: 3
start_period: 210s
arkime-live:
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -463,7 +463,7 @@ services:
source: ./pcap
target: /data/pcap
zeek:
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -527,7 +527,7 @@ services:
retries: 3
start_period: 60s
zeek-live:
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -583,7 +583,7 @@ services:
target: /opt/zeek/share/zeek/site/custom
read_only: true
suricata:
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -640,7 +640,7 @@ services:
retries: 3
start_period: 120s
suricata-live:
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -695,7 +695,7 @@ services:
target: /opt/suricata/include-configs
read_only: true
file-monitor:
- image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -748,7 +748,7 @@ services:
retries: 3
start_period: 60s
pcap-capture:
- image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -792,7 +792,7 @@ services:
source: ./pcap/upload
target: /pcap
pcap-monitor:
- image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1
profiles: ["malcolm", "hedgehog"]
userns_mode: keep-id
logging:
@@ -844,7 +844,7 @@ services:
retries: 3
start_period: 90s
upload:
- image: ghcr.io/idaholab/malcolm/file-upload:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-upload:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -886,7 +886,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: ghcr.io/idaholab/malcolm/htadmin:24.10.0
+ image: ghcr.io/idaholab/malcolm/htadmin:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -936,7 +936,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: ghcr.io/idaholab/malcolm/freq:24.10.0
+ image: ghcr.io/idaholab/malcolm/freq:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -971,7 +971,7 @@ services:
retries: 3
start_period: 60s
netbox:
- image: ghcr.io/idaholab/malcolm/netbox:24.10.0
+ image: ghcr.io/idaholab/malcolm/netbox:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1035,7 +1035,7 @@ services:
retries: 3
start_period: 120s
netbox-postgres:
- image: ghcr.io/idaholab/malcolm/postgresql:24.10.0
+ image: ghcr.io/idaholab/malcolm/postgresql:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1076,7 +1076,7 @@ services:
retries: 3
start_period: 45s
netbox-redis:
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1121,7 +1121,7 @@ services:
retries: 3
start_period: 45s
netbox-redis-cache:
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1161,7 +1161,7 @@ services:
retries: 3
start_period: 45s
api:
- image: ghcr.io/idaholab/malcolm/api:24.10.0
+ image: ghcr.io/idaholab/malcolm/api:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
@@ -1180,6 +1180,7 @@ services:
env_file:
- ./config/process.env
- ./config/ssl.env
+ - ./config/upload-common.env
- ./config/dashboards.env
- ./config/opensearch.env
environment:
@@ -1204,7 +1205,7 @@ services:
retries: 3
start_period: 60s
nginx-proxy:
- image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0
+ image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1
profiles: ["malcolm"]
userns_mode: keep-id
logging:
diff --git a/docs/README.md b/docs/README.md
index f3880aa0f..a7004736c 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -148,4 +148,5 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation
- [OpenSearch Dashboards](contributing-dashboards.md#dashboards)
- [Carved file scanners](contributing-file-scanners.md#Scanners)
- [Style](contributing-style.md#Style)
- - [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners)
\ No newline at end of file
+ - [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners)
+ - [Preparing a Malcolm Release](contributing-release-prep.md)
\ No newline at end of file
diff --git a/docs/api-ready.md b/docs/api-ready.md
new file mode 100644
index 000000000..31d6f8a55
--- /dev/null
+++ b/docs/api-ready.md
@@ -0,0 +1,24 @@
+# Malcolm Services Readiness Status
+
+`GET` - /mapi/ready
+
+Returns `true` or `false` indicating the readiness status of various Malcolm services. Generally speaking, Malcolm is ready to begin processing traffic when the `opensearch`, `pcap_monitor`, `logstash_lumberjack`, and `logstash_pipelines` services are `true`.
+
+**Example output:**
+
+```json
+{
+ "arkime": true,
+ "dashboards": true,
+ "dashboards_maps": true,
+ "filebeat_tcp": false,
+ "freq": true,
+ "logstash_lumberjack": true,
+ "logstash_pipelines": true,
+ "netbox": true,
+ "opensearch": true,
+ "pcap_monitor": true,
+ "zeek_extracted_file_logger": true,
+ "zeek_extracted_file_monitor": true
+}
+```
diff --git a/docs/api-version.md b/docs/api-version.md
index 0c0fefe76..2ebe0e921 100644
--- a/docs/api-version.md
+++ b/docs/api-version.md
@@ -49,6 +49,6 @@ Returns version information about Malcolm and version/[health](https://opensearc
}
},
"sha": "dad18b1",
- "version": "24.10.0"
+ "version": "24.10.1"
}
```
diff --git a/docs/api.md b/docs/api.md
index 3de995e6d..16c72ee8c 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -6,6 +6,7 @@
* [Fields](api-fields.md)
* [Indices](api-indices.md)
* [Ping](api-ping.md)
+* [Ready](api-ready.md)
* [Version](api-version.md)
* [Examples](api-examples.md)
diff --git a/docs/contributing-github-runners.md b/docs/contributing-github-runners.md
index 256ea8ba9..80a25eea3 100644
--- a/docs/contributing-github-runners.md
+++ b/docs/contributing-github-runners.md
@@ -104,7 +104,7 @@ Each container build workflow actually runs two paths in parallel: one for build
## Convenience scripts for development
-As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.10.0`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`).
+As mentioned earlier, Malcolm images built using the instructions in this document are are named according to the pattern `ghcr.io/username/malcolm/image:branch`. However, note that the `image:` values found in [`docker-compose.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/docker-compose.yml) (and in the [Kubernetes](kubernetes.md#Kubernetes) [manifests]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/kubernetes/)) look like `ghcr.io/idaholab/malcolm/opensearch:24.10.1`, using the OpenSearch container as an example. To run a local instance of Malcolm using these images instead of the official `ghcr.io/idaholab` ones, users will need to edit their `docker-compose.yml` file(s) and replace the `image:` tags according to this new pattern, or use the bash helper script [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) to pull the repository images and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`).
Before explaining that script, a discussion of the workflow files for the [Hedgehog Linux](live-analysis.md#Hedgehog) ([hedgehog-iso-build-docker-wrap-push-ghcr.yml
]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml)) and [Malcolm](malcolm-iso.md#ISO) ([malcolm-iso-build-docker-wrap-push-ghcr.yml
@@ -141,9 +141,9 @@ These menu options are described below:
3. GithubTriggerPackagesBuild
* This option will trigger a [repository dispatch](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch) via the [GitHub API](https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event) using `curl`. In order for this operation to work, an environment variable named `GITHUB_OAUTH_TOKEN` must be defined containing a [personal access token](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28#basic-authentication) created for your GitHub user account with the "Actions (write)" repository permission.
4. PullAndTagGithubWorkflowImages
- * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image.
+ * This option will pull latest Malcolm container images (excluding the installer ISO wrapper container images) from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`) so that they may be run without modifying the local `docker-compose.yml` file. This is probably the option users will select most often. Note that this is different from the action performed in steps 1 and 0 above: this pulls the images directly from the container registry, it does **not** extract them from the Malcolm installer ISO wrapper container image.
5. PullAndTagGithubWorkflowISOImages
- * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.0`).
+ * This option will pull latest Malcolm installer ISO wrapper container images from ghcr.io for the user's Malcolm fork, and re-tag them with `ghcr.io/idaholab` and the current Malcolm version (e.g., `24.10.1`).
The script can also be run non-interactively by specifying the option number on the command line (e.g., `./scripts/github_image_helper.sh 4`).
@@ -182,7 +182,7 @@ $ ./scripts/github_image_helper.sh
5 PullAndTagGithubWorkflowISOImages
Operation:4
PullAndTagGithubWorkflowImages
-Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.10.0...
+Pulling images from ghcr.io/romeogdetlevjr (main) and tagging as 24.10.1...
main: Pulling from romeogdetlevjr/malcolm/api
Digest: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Status: Image is up to date for ghcr.io/romeogdetlevjr/malcolm/api:main
@@ -196,46 +196,46 @@ ghcr.io/romeogdetlevjr/malcolm/zeek:main
xxxxxxxxxxxx: Pull complete
```
-Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.10.0`).
+Verify that the images were pulled. Note that users will see two tags for each image: one tagged with the username and branch (e.g., `ghcr.io/romeogdetlevjr/malcolm/api:main`) and another tagged with `ghcr.io/idaholab` and the Malcolm version (e.g., `ghcr.io/idaholab/malcolm/api:24.10.1`).
```bash
$ docker images | grep romeogdetlevjr/malcolm
-ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 10 minutes ago 1.39GB
+ghcr.io/idaholab/malcolm/zeek 24.10.1 xxxxxxxxxxxx 10 minutes ago 1.39GB
ghcr.io/romeogdetlevjr/malcolm/zeek main xxxxxxxxxxxx 10 minutes ago 1.39GB
-ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 13 minutes ago 1.55GB
+ghcr.io/idaholab/malcolm/dashboards 24.10.1 xxxxxxxxxxxx 13 minutes ago 1.55GB
ghcr.io/romeogdetlevjr/malcolm/dashboards main xxxxxxxxxxxx 13 minutes ago 1.55GB
-ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 14 minutes ago 339MB
+ghcr.io/idaholab/malcolm/suricata 24.10.1 xxxxxxxxxxxx 14 minutes ago 339MB
ghcr.io/romeogdetlevjr/malcolm/suricata main xxxxxxxxxxxx 14 minutes ago 339MB
-ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 15 minutes ago 712MB
+ghcr.io/idaholab/malcolm/file-monitor 24.10.1 xxxxxxxxxxxx 15 minutes ago 712MB
ghcr.io/romeogdetlevjr/malcolm/file-monitor main xxxxxxxxxxxx 15 minutes ago 712MB
-ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 15 minutes ago 55.4MB
+ghcr.io/idaholab/malcolm/redis 24.10.1 xxxxxxxxxxxx 15 minutes ago 55.4MB
ghcr.io/romeogdetlevjr/malcolm/redis main xxxxxxxxxxxx 15 minutes ago 55.4MB
-ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 16 minutes ago 160MB
+ghcr.io/idaholab/malcolm/nginx-proxy 24.10.1 xxxxxxxxxxxx 16 minutes ago 160MB
ghcr.io/romeogdetlevjr/malcolm/nginx-proxy main xxxxxxxxxxxx 16 minutes ago 160MB
-ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 16 minutes ago 137MB
+ghcr.io/idaholab/malcolm/pcap-capture 24.10.1 xxxxxxxxxxxx 16 minutes ago 137MB
ghcr.io/romeogdetlevjr/malcolm/pcap-capture main xxxxxxxxxxxx 16 minutes ago 137MB
-ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 16 minutes ago 246MB
+ghcr.io/idaholab/malcolm/htadmin 24.10.1 xxxxxxxxxxxx 16 minutes ago 246MB
ghcr.io/romeogdetlevjr/malcolm/htadmin main xxxxxxxxxxxx 16 minutes ago 246MB
ghcr.io/romeogdetlevjr/malcolm/file-upload main xxxxxxxxxxxx 16 minutes ago 250MB
-ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 16 minutes ago 250MB
-ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 16 minutes ago 1.49GB
+ghcr.io/idaholab/malcolm/file-upload 24.10.1 xxxxxxxxxxxx 16 minutes ago 250MB
+ghcr.io/idaholab/malcolm/logstash-oss 24.10.1 xxxxxxxxxxxx 16 minutes ago 1.49GB
ghcr.io/romeogdetlevjr/malcolm/logstash-oss main xxxxxxxxxxxx 16 minutes ago 1.49GB
-ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 17 minutes ago 1.66GB
+ghcr.io/idaholab/malcolm/netbox 24.10.1 xxxxxxxxxxxx 17 minutes ago 1.66GB
ghcr.io/romeogdetlevjr/malcolm/netbox main xxxxxxxxxxxx 17 minutes ago 1.66GB
ghcr.io/romeogdetlevjr/malcolm/filebeat-oss main xxxxxxxxxxxx 18 minutes ago 405MB
-ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 18 minutes ago 405MB
+ghcr.io/idaholab/malcolm/filebeat-oss 24.10.1 xxxxxxxxxxxx 18 minutes ago 405MB
ghcr.io/romeogdetlevjr/malcolm/postgresql main xxxxxxxxxxxx 18 minutes ago 303MB
-ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 18 minutes ago 303MB
-ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 18 minutes ago 802MB
+ghcr.io/idaholab/malcolm/postgresql 24.10.1 xxxxxxxxxxxx 18 minutes ago 303MB
+ghcr.io/idaholab/malcolm/arkime 24.10.1 xxxxxxxxxxxx 18 minutes ago 802MB
ghcr.io/romeogdetlevjr/malcolm/arkime main xxxxxxxxxxxx 18 minutes ago 802MB
-ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 18 minutes ago 1.42GB
+ghcr.io/idaholab/malcolm/opensearch 24.10.1 xxxxxxxxxxxx 18 minutes ago 1.42GB
ghcr.io/romeogdetlevjr/malcolm/opensearch main xxxxxxxxxxxx 18 minutes ago 1.42GB
-ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 18 minutes ago 176MB
+ghcr.io/idaholab/malcolm/pcap-monitor 24.10.1 xxxxxxxxxxxx 18 minutes ago 176MB
ghcr.io/romeogdetlevjr/malcolm/pcap-monitor main xxxxxxxxxxxx 18 minutes ago 176MB
-ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 18 minutes ago 233MB
+ghcr.io/idaholab/malcolm/dashboards-helper 24.10.1 xxxxxxxxxxxx 18 minutes ago 233MB
ghcr.io/romeogdetlevjr/malcolm/dashboards-helpermain xxxxxxxxxxxx 18 minutes ago 233MB
-ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 18 minutes ago 153MB
+ghcr.io/idaholab/malcolm/freq 24.10.1 xxxxxxxxxxxx 18 minutes ago 153MB
ghcr.io/romeogdetlevjr/malcolm/freq main xxxxxxxxxxxx 18 minutes ago 153MB
-ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 18 minutes ago 169MB
+ghcr.io/idaholab/malcolm/api 24.10.1 xxxxxxxxxxxx 18 minutes ago 169MB
ghcr.io/romeogdetlevjr/malcolm/api main xxxxxxxxxxxx 18 minutes ago 169MB
```
diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md
index 3237717be..d30153639 100644
--- a/docs/contributing-guide.md
+++ b/docs/contributing-guide.md
@@ -26,4 +26,5 @@ It is recommended before reviewing this guide to read the documentation on [cust
+ [OpenSearch Dashboards plugins](contributing-dashboards.md#DashboardsPlugins)
* [Carved file scanners](contributing-file-scanners.md#Scanners)
* [Style](contributing-style.md#Style)
-* [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners)
\ No newline at end of file
+* [Using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners)
+* [Preparing a Malcolm Release](contributing-release-prep.md)
\ No newline at end of file
diff --git a/docs/contributing-logstash.md b/docs/contributing-logstash.md
index 2cfcb085d..3309ec358 100644
--- a/docs/contributing-logstash.md
+++ b/docs/contributing-logstash.md
@@ -34,12 +34,12 @@ Finally, in the [`./config/logstash.env` file](malcolm-config.md#MalcolmConfigEn
The following modifications must be made in order for Malcolm to parse new Zeek log files:
-1. Add a parsing section to [`logstash/pipelines/zeek/11_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/11_zeek_parse.conf)
+1. Add a parsing filter file named so that it sorts after [`logstash/pipelines/zeek/1001_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1001_zeek_parse.conf) but before [`logstash/pipelines/zeek/1199_zeek_unknown.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1199_zeek_unknown.conf)
* Follow patterns for existing log files as an example
* For common Zeek fields such as the `id` four-tuple, timestamp, etc., use the same convention used by existing Zeek logs in that file (e.g., `ts`, `uid`, `orig_h`, `orig_p`, `resp_h`, `resp_p`)
- * Take care, especially when copy-pasting filter code, the Zeek delimiter isn't modified from a tab character to a space character (see "*zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP*" warnings in that file)
-1. If necessary, perform log normalization in [`logstash/pipelines/zeek/13_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/13_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc.
-1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/14_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/14_zeek_convert.conf)
+ * The [`logstash/scripts/logstash-start.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/scripts/logstash-start.sh) Logstash container startup script should automatically fix any issues with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs)
+1. If necessary, perform log normalization in [`logstash/pipelines/zeek/1300_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1300_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc.
+1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/1400_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1400_zeek_convert.conf)
1. Identify the new fields and add them as described in [Adding new log fields](contributing-new-log-fields.md#NewFields)
The script [`scripts/zeek_script_to_malcolm_boilerplate.py`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/zeek_script_to_malcolm_boilerplate.py) may help by autogenerating these filters.
diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md
index c0feeab77..9d473d332 100644
--- a/docs/contributing-pcap.md
+++ b/docs/contributing-pcap.md
@@ -1,6 +1,6 @@
# PCAP processors
-When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.10.0 release]({{ site.github.repository_url }}/releases/tag/v24.10.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
+When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v24.10.1 release]({{ site.github.repository_url }}/releases/tag/v24.10.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail:
1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section
* Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory
diff --git a/docs/contributing-release-prep.md b/docs/contributing-release-prep.md
new file mode 100644
index 000000000..0ab70fa30
--- /dev/null
+++ b/docs/contributing-release-prep.md
@@ -0,0 +1,192 @@
+# Preparing a Malcolm Release
+
+This document outlines the steps a Malcolm developer goes through to publish a release of Malcolm. This guide assumes the developer has been doing their work downstream in a fork of the main [Malcolm repository upstream]({{ site.github.repository_url }}), forked at `romeogdetlevjr/Malcolm` by the fictitious Malcolm developer Romeo G Detlev Jr. concocted for this example.
+
+## 1. Review the project milestone and the branch from which the release will be staged
+
+Malcolm tracks issues (whether they be bugs, new features, enhancements, etc.) for release milestones using a [GitHub project](https://github.com/orgs/idaholab/projects/1). Before building release candidate images, Romeo reviews the items for the upcoming release in the corresponding project milestone and ensures that all items assigned to it have their status set to **Done**, each item having been completed and tested locally by the developer to which the issue was assigned.
+
+Romeo also ensures that all work towards this release has been pulled into the branch on his fork from which the release will be cut. If [pull requests]({{ site.github.repository_url }}/pulls) have been submitted upstream which resolve the issues assigned to this release, those pull requests should be merged into the branch at `romeogdetlevjr/Malcolm`, whether they were submitted initially against that fork or pulled in manually by Romeo as part of this release process. Pull requests are not accepted directly into the `main` branch of the official [upstream fork]({{ site.github.repository_url }}). In other words, the branch of Malcolm in Romeo's development fork should contain **everything** that is going to comprise this release of Malcolm.
+
+There are several places in the Malcolm source code where the release version itself (e.g., `24.10.0`) needs to be present. Most of these places are in the documentation, consisting of markdown files, but others include [docker-compose.yml]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/docker-compose.yml), [docker-compose-dev.yml]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/docker-compose-dev.yml), and the [Kubernetes manifests]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/kubernetes). Most likely Romeo's first commit into his branch as he worked on this release was to bump those version strings ([like this](https://github.com/romeogdetlevjr/Malcolm/commit/cc7d0d8855b5cc4f04cd38ae22d1421c627444cc)), but he should verify now that he did so.
+
+## 2. Build Malcolm container images using GitHub runners
+
+Images and artifacts for release should not be built on Romeo's own development workstation. Instead, carefully reviews the documentation for [using GitHub runners to build Malcolm images](contributing-github-runners.md#GitHubRunners) (including setting up his [GitHub repository actions secrets and variables](contributing-github-runners.md#secrets-and-variables)) and starts builds of the GitHub container images [with a workflow or repository dispatch API trigger](contributing-github-runners.md#triggers). He monitors the [progress of the workflow actions]({{ site.github.repository_url }}/actions) and ensures that they complete successfully, including jobs for both `docker (linux/amd64)` and `docker (linux/arm64)` where applicable.
+
+## 3. Build Malcolm ISO images using GitHub runners
+
+The [workflow for building the Hedgehog Linux installer ISO]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/actions/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml) can be run independently of the Malcolm container images; however, the [workflow for building the Malcolm installer ISO]({{ site.github.repository_url }}/actions/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) needs to be run **after** all of the container image "build-and-push" actions have completed successfully, as those images are pulled and archived inside of the ISO itself. Once Romeo is sure that all of the actions for building the container images from the previous step have completed successfully, he initiates a run of the [`malcolm-iso-build-docker-wrap-push-ghcr`]({{ site.github.repository_url }}/actions/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml) action.
+
+## 4. Pull the container images from ghcr.io
+
+Once all of the release candidate images have been built by their respective GitHub actions, Romeo can use the [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development) (found at [`./scripts/github_image_helper.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/github_image_helper.sh) in the Malcolm source code) which has the following purposes:
+
+1. To pull the freshly-built container images from ghcr.io named with his fork's tags (e.g., `ghcr.io/romeogdetlevjr/malcolm/zeek:main`)
+2. To tag these images with their "official" tags (e.g., `ghcr.io/idaholab/malcolm/zeek:24.10.1`)
+3. To extract the ISO 9660-formatted ISO files for the Malcolm and Hedgehog Linux installer ISOs
+
+Romeo carefully reviews the documentation on this [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development), then runs it. When it has completed, he verifies with `docker images` that he pulled the new container images (checking the containers' ages with the `CREATED` column) and that he has the `.iso` files he expects to have.
+
+## 5. Extract, install, and test ISO images
+
+Now that he's got the `.iso` files for Malcolm and Hedgehog Linux, Romeo fires up some virtualization software ([VMware Workstation](https://www.vmware.com/products/desktop-hypervisor/workstation-and-fusion), [VirtualBox](https://www.virtualbox.org/), or, his personal favorite, [virt-manager](https://virt-manager.org/)) and installs the ISOs into their respective VMs. He makes sure his VMs are configured to meet the [recommended system requirements](system-requirements.md#SystemRequirements). He follows the [end-to-end Malcolm and Hedgehog Linux ISO Installation](malcolm-hedgehog-e2e-iso-install.md#InstallationExample) example in the documentation to install and configure Malcolm and Hedgehog Linux, resulting in a configuration where the VMs are successfully communicating with each other.
+
+Part of Romeo's testing includes uploading PCAP files to test the parsers for Malcolm's [supported protocols](protocols.md#Protocols), so he uses a [set of PCAP files](https://github.com/mmguero-dev/Malcolm-PCAP) curated by another Malcolm developer for this purpose.
+
+He also knows that verifying live traffic capture is an important part of testing both [Hedgehog Linux](live-analysis.md#Hedgehog) and [Malcolm](live-analysis.md#LocalPCAP). He has used a few open-source tools to generate "real" live Internet traffic in his VMs, including [PartyLoud](https://github.com/mmguero-dev/PartyLoud), [alphasoc/flightsim](https://github.com/alphasoc/flightsim), and [3CORESec/testmynids.org](https://github.com/3CORESec/testmynids.org). He downloads these utilities into both VMs and configures both Malcolm and Hedgehog Linux to capture the live traffic generated.
+
+Having [uploaded](upload.md#Upload) a variety of PCAP files and configured [live traffic analysis](live-analysis.md), Romeo validates the resulting traffic metadata generated by Zeek, Suricata, and Arkime looks correct in both [OpenSearch Dashboards](dashboards.md#Dashboards) and [Arkime](arkime.md#Arkime). He makes a special note to use [Arkime's sessions interface](arkime.md#ArkimeSessions) to retrieve a PCAP payload for an Arkime session captured on each VM.
+
+Romeo knows that soon™ the Malcolm project will include a [robust automated system testing framework](https://github.com/idaholab/Malcolm/issues/11), but until then he realizes it's on him to do his best to ensure the quality of this Malcolm release. He carefully reviews and tests each issue assigned to this milestone on the [GitHub project board](https://github.com/orgs/idaholab/projects/1).
+
+## 6. Build Hedgehog Linux Raspberry Pi image
+
+Earlier, Romeo reminded himself that images and artifacts for release should not be built on his own development workstation. While this is a worthy goal, at the time of this writing GitHub does not provide [standard hosted runners](https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners) for arm64, so the [workflow for building the Hedgehog Linux Raspberry Pi image]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/actions/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml) would have to be emulated in QEMU. Romeo knows from personal experience that this build process would exceed GitHub's time limit and be killed, so he has to resort to [building the Raspberry Pi image](hedgehog-raspi-build.md#HedgehogRaspiBuild) locally. He has read that arm64 standard runners are [coming soon](https://github.com/orgs/community/discussions/19197#discussioncomment-10895290) and suspects that soon Malcolm will support building the Hedgehog Linux Raspberry Pi image natively using GitHub runners.
+
+## 7. Submit and merge a pull request
+
+Now that he's satisfied that everything looks ship-shape for the release, Romeo drafts and submits a pull request from his development fork to the [Malcolm repository upstream]({{ site.github.repository_url }}), where it should be carefully reviewed, preferably by Romeo and another Malcolm developer together.
+
+Once the PR has been carefully reviewed by the necessary parties to everyone's satisfaction, it can be merged info the `main` branch upstream.
+
+## 8. Push official images to ghcr.io
+
+Earlier Romeo used the [convenience helper script](contributing-github-runners.md#convenience-scripts-for-development) to pull and tag the container images that would become the official images for this release. He now pushes those images to ghcr.io, making them available to the public in the official upstream namespace with their final release tags. He uses some script-fu to do this, listing the container images, filtering for the newly-tagged `idaholab` images for this release, and using `xargs` to execute a `docker push` command for each:
+
+```bash
+$ docker images \
+ | grep -P "ghcr\.io/idaholab/malcolm/.+24\.10\.1" \
+ | awk '{print $1 ":" $2}' \
+ | xargs -r -l docker push
+
+Getting image source signatures
+Copying blob f944ed4242ed skipped: already exists
+…
+Copying config 2c88f94597 done |
+Writing manifest to image destination
+…
+Writing manifest to image destination
+Getting image source signatures
+Copying blob 43c4264eed91 skipped: already exists
+…
+Copying config caff12e3c5 done |
+Writing manifest to image destination
+```
+
+The push should actually go very quickly, because the container registry is smart enough to realize that the images already exist (with the `romeogdetlevjr` tags), so there will be a lot of "Copying blob … skipped: already exists" messages in the output.
+
+## 9. Pulling and pushing the arm64 images
+
+Romeo's primary development workstation is a Linux system running on the x86_64/amd64 architecture. He realizes that Malcolm has had [arm64 support](https://github.com/idaholab/Malcolm/issues/389) for some time. However, the convenience script he used to pull and tag the Malcolm images as described above is only doing so for the `amd64` container images.
+
+Romeo switches over to an arm64-based machine (in his case, his Apple M2 Max MacBook Pro) and repeats the steps from **Pull the container images from ghcr.io** and **Push official images to ghcr.io** above, only this time for the Malcolm images with the `-arm64` suffixed tags.
+
+## 10. Prepare release artifacts
+
+Romeo appreciates it when open source projects include detailed release notes, so he carefully goes writes some to accompany this release of Malcolm. Using the pattern followed in [previous Malcolm releases]({{ site.github.repository_url }}/releases), he uses Markdown to draft release notes including:
+
+* New features and enhancements
+* Version bumps for any components or libraries used by Malcolm
+* Bugs fixed
+* Changes to [environment variable files](malcolm-config.md#MalcolmConfigEnvVars)
+* Breaking changes (things that aren't backwards compatible, things requiring a re-run of the `configure` script, etc.)
+
+There are two general categories of files that need to be generated to be included with the Malcolm release as assets, broken down thusly:
+
+* Images
+ - Malcolm installer ISO
+ - Hedgehog Linux installer ISO
+ - Hedgehog Linux Raspberry Pi image
+* Scripts and tarball for a standalone Docker installation
+
+Romeo checks out and switches his GitHub repository's working copy so that it's tracking the [upstream branch]({{ site.github.repository_url }}) (e.g., `git checkout main` and `git branch --set-upstream-to idaholab/main`). Running `git log -1` should show that the latest commit to this branch is the merge of the pull request performed earlier.
+
+Romeo creates a local directory to contain the release artifacts and runs `./scripts/malcolm_appliance_packager.sh` to package up the scripts and tarball for a standalone Docker installation (the output of that script is somewhat verbose, so it's been summarized for display here):
+
+```bash
+$ mkdir releases
+
+$ cd releases
+
+$ ~/Malcolm/scripts/malcolm_appliance_packager.sh
+…
+mkdir: created directory …
+
+Package Kubernetes manifests in addition to docker-compose.yml [y/N]? y
+…
+Packaged Malcolm to "/home/romeogdetlevjr/Malcolm/releases/malcolm_20241008_215936_deadbeef.tar.gz"
+
+Do you need to package container images also [y/N]? n
+
+To install Malcolm:
+ 1. Run install.py
+ 2. Follow the prompts
+
+To start, stop, restart, etc. Malcolm:
+ Use the control scripts in the "scripts/" directory:
+ - start (start Malcolm)
+ - stop (stop Malcolm)
+ - restart (restart Malcolm)
+ - logs (monitor Malcolm logs)
+ - wipe (stop Malcolm and clear its database)
+ - auth_setup (change authentication-related settings)
+
+Malcolm services can be accessed at https:///
+
+$ ls -l
+total 462,848
+-rwxr-xr-x 1 romeogdetlevjr romeogdetlevjr 219,939 Oct 22 10:32 install.py
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 475 Oct 22 10:33 malcolm_20241008_215936_deadbeef.README.txt
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 115,865 Oct 22 10:32 malcolm_20241008_215936_deadbeef.tar.gz
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 41,372 Oct 22 10:32 malcolm_common.py
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 44,226 Oct 22 10:32 malcolm_kubernetes.py
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 24,865 Oct 22 10:32 malcolm_utils.py
+```
+
+The resultant `.py`, `.tar.gz,` and `.txt` files are ready to be included as assets in the Malcolm release on GitHub.
+
+As described in the documentation for [downloading Malcolm](download.md#JoinISOs), due to [limits on individual files](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas) in GitHub releases, the binary image files have been split into 2GB chunks. The same scripts (for Bash ([release_cleaver.sh]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/release_cleaver.sh)) and PowerShell ([release_cleaver.ps1]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/release_cleaver.ps1))) used to join the files can be used to split them up:
+
+```bash
+$ ls -l
+total 8,502,263,808
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,209,240 Oct 22 09:50 hedgehog-24.10.1-build.log
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,664,972,288 Oct 22 09:50 hedgehog-24.10.1.iso
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 963,775 Oct 22 09:49 malcolm-24.10.1-build.log
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 5,835,110,400 Oct 22 09:49 malcolm-24.10.1.iso
+
+$ for ISO in *.iso; do ~/Malcolm/scripts/release_cleaver.sh "$ISO"; done
+Splitting...
+bf6e71385046b39d265af3dfc5b77677a0ac5eeac86bdc5be48791d0900715df hedgehog-24.10.1.iso
+Splitting...
+b4957741420ec06988d975cdb7f71eaa201918245f6fcb7ee2641d7d0ad97c52 malcolm-24.10.1.iso
+
+$ ls -l
+total 17,002,364,928
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,209,240 Oct 22 09:50 hedgehog-24.10.1-build.log
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,664,972,288 Oct 22 09:50 hedgehog-24.10.1.iso
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:40 hedgehog-24.10.1.iso.01
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 664,972,288 Oct 22 10:40 hedgehog-24.10.1.iso.02
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 87 Oct 22 10:40 hedgehog-24.10.1.iso.sha
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 963,775 Oct 22 09:49 malcolm-24.10.1-build.log
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 5,835,110,400 Oct 22 09:49 malcolm-24.10.1.iso
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:41 malcolm-24.10.1.iso.01
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 2,000,000,000 Oct 22 10:41 malcolm-24.10.1.iso.02
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 1,835,110,400 Oct 22 10:41 malcolm-24.10.1.iso.03
+-rw-r--r-- 1 romeogdetlevjr romeogdetlevjr 86 Oct 22 10:41 malcolm-24.10.1.iso.sha
+```
+
+The resultant files (with the `.iso.##` and `.iso.sha` extensions) are the files ready to be included as assets in the Malcolm release on GitHub.
+
+## 11. Publish the release
+
+Romeo goes to the [releases]({{ site.github.repository_url }}/releases) page of the upstream repository. He clicks **Draft a new release**. On the new release page, he enters the release tag under **Choose a tag** (e.g., `v24.10.1`) with `main` as the target. He puts **Malcolm v24.10.1** as the release title, and pastes the content of the markdown release notes he wrote into the **Write** input where it prompts him to **Describe this release**.
+
+Romeo attaches the asset files from the previous step where it says "↓ Attach binaries by dropping them here or selecting them." He ensures that **Set as the latest release** is checked.
+
+After reviewing the contents of this page, Romeo pushes the green **Publish release** button, making this the latest official Malcolm release.
+
+## 12. Close project milestone
+
+Finally, Romeo navigates back to the [GitHub project](https://github.com/orgs/idaholab/projects/1) and changes the status of each issue under the now-released milestone from **Done** to **Released**. He then navigates to the [milestones]({{ site.github.repository_url }}/milestones) page on GitHub and clicks **Close** for that milestone.
\ No newline at end of file
diff --git a/docs/hardening.md b/docs/hardening.md
index 83d13023e..6a492682e 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -21,12 +21,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen
**2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid option to /run/shm Partition**, **2.16 Add noexec option to /run/shm Partition** - The Malcolm aggregator base operating system does not mount `/run/shm` as a separate partition, so these recommendations do not apply.
+**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers.
+
**2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - The Malcolm aggregator base operating system is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel.
**3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensure uninterrupted service. A boot loader password is not enabled.
**4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system.
+**5.2 Install screen** - The Malcolm base operating system comes with `tmux`, a modern `screen` alternative.
+
**6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by the Malcolm aggregator base operating system, but the `avahi` and `cups` services themselves are disabled.
**6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary.
@@ -35,8 +39,16 @@ The Malcolm aggregator base operating system claims exceptions from the recommen
**8.1.1.2 Disable System on Audit Log Full**, **8.1.1.3 Keep All Auditing Information**, **8.1.1.5 Ensure set remote_server for audit service**, **8.1.1.6 Ensure enable_krb5 set to yes for remote audit service**, **8.1.1.7 Ensure set action for audit storage volume is fulled**, **8.1.1.8 Ensure set action for network failure on remote audit service**, **8.1.1.9 Set space left for auditd service**, a few other audit-related items under section **8.1**, **8.2.4 Configure rsyslog to Send Logs to a Remote Log Host** - As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. `auditd` is set up to syslog when its local storage capacity is reached.
+**8.2.1 Install the rsyslog package**, **8.2.2 Enable rsyslog**, **8.2.3 Create and Set Permissions on rsyslog Log Files by conf file**, **8.3.1 Install the syslog-ng package**, **8.3.2 Ensure the syslog-ng Service is activated**, - Modern Debian-based Linux systems now use journald instead of rsyslog or syslog-ng. On Malcolm, these logs are available using journalctl and can be configured to be forwarded into the Malcolm data store using Fluent Bit.
+
**8.4.2 Implement Periodic Execution of File Integrity** - This functionality is not configured by default, but it can be configured post-install by the end user.
+**8.5 Ensure permissions on all logfiles are configured** - It is the opinion of the Malcolm development team that the log files found in `/var/log` on the Malcolm base operating system are set with secure file permissions, despite what the [audit script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh) for this item suggests.
+
+**8.7.1 Ensure journald is configured to compress large log files** - Malcolm does not enable compression for journald logs to ensure that they remain readable by [Fluent Bit](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) (see [this related issue](https://github.com/fluent/fluent-bit/issues/2998)) for forwarding into the Malcolm data store.
+
+**8.7.2 Ensure journald is configured to write logfiles to persistent disk** - Journald's `Storage` setting remains set to the default `auto` value in the Malcolm base operating system. However, these logs can be configured to be forwarded into the Malcolm data store, at which point they are persisted to disk.
+
Password-related recommendations under **9.2** and **10.1** - The library package `libpam-pwquality` is used in favor of `libpam-cracklib`, which is what the [compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) are looking for. Also, as an appliance running Malcolm is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed.
**9.3.13 Limit Access via SSH** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only `root` and an aggregator service account are used. SSH access for `root` is disabled. SSH login with a password is also disallowed: only key-based authentication is accepted. The service account accepts no keys by default. As such, the `AllowUsers`, `AllowGroups`, `DenyUsers`, and `DenyGroups` values in `sshd_config` do not apply.
@@ -47,6 +59,8 @@ Password-related recommendations under **9.2** and **10.1** - The library packag
**10.1.10 Set maxlogins for all accounts** and **10.5 Set Timeout on ttys** - The Malcolm aggregator base operating system does not create multiple regular user accounts: only the `root` and aggregator service accounts are used.
+**12.8 Find Un-owned Files and Directories** and **12.9 Find Un-grouped Files and Directories** - The files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.8_find_unowned_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.9_find_ungrouped_files.sh) exist within the layers of Malcolm's Docker images. While they do not belong to any user/group the host system knows about, the ownership of these files is set correctly in each Docker container's entrypoint. These files are not accessible to any unprivileged user on the host.
+
**12.10 Find SUID System Executables**, **12.11 Find SGID System Executables** - The few files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.10_find_suid_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.11_find_sgid_files.sh) are valid exceptions required by the Malcolm aggregator base operating system's core requirements.
**14.1 Defense for NAT Slipstreaming** - As Malcolm may operate as a network traffic capture appliance sniffing packets on a network interface configured in promiscuous mode, this recommendation does not apply.
@@ -57,6 +71,8 @@ Please review the notes for these additional guidelines. While not claiming an e
**5.4 Ensure ctrl-alt-del is disabled** - The Malcolm aggregator base operating system disables the `ctrl+alt+delete` key sequence by executing `systemctl disable ctrl-alt-del.target` during installation and the command `systemctl mask ctrl-alt-del.target` at boot time.
+**6.5 Ensure time sync server is installed**, **6.19 Configure Network Time Protocol (NTP)**, and **6.20 Configure Network Time Protocol (chrony)** - The Malcolm aggregator base operating system [can be configured](malcolm-hedgehog-e2e-iso-install.md#MalcolmTimeSync) to synchronize time using either Network Time Protocol (NTP) or HTP (HTTP Time Protocol). The audit scripts for checking and configuring NTP do not check for binaries provided by the `ntpsec` package Malcolm uses, which is why this is incorrectly flagged as noncompliant.
+
**7.4.4 Create /etc/hosts.deny**, **7.7.1 Ensure Firewall is active**, **7.7.4.1 Ensure default deny firewall policy**, **7.7.4.2 Ensure loopback traffic is configured**, **7.7.4.3 Ensure default deny firewall policy**, **7.7.4.4 Ensure outbound and established connections are configured** - The Malcolm aggregator base operating system **is** configured with an appropriately locked-down software firewall (managed by "[Uncomplicated Firewall](https://launchpad.net/ufw)" `ufw`). However, the methods outlined in the [CIS benchmark recommendations](https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/) do not account for this configuration.
**8.6 Verifies integrity all packages** - The [script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.7_verify_integrity_packages.sh) that verifies package integrity only "fails" because of missing (status `??5??????` displayed by the utility) language ("locale") files, which are removed as part of the Malcolm aggregator base operating system's trimming-down process. All non-locale-related system files pass intergrity checks.
diff --git a/docs/hedgehog-hardening.md b/docs/hedgehog-hardening.md
index 75307fd17..c993f2042 100644
--- a/docs/hedgehog-hardening.md
+++ b/docs/hedgehog-hardening.md
@@ -18,12 +18,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t
**2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid Option to /run/shm Partition**, **2.16 Add noexec Option to /run/shm Partition** - Hedgehog Linux does not mount `/run/shm` as a separate partition, so these recommendations do not apply.
+**2.17 Set Sticky Bit on All World-Writable Directories** - The only directory found by [this script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/2.17_sticky_bit_world_writable_folder.sh) is `/var/mail`, which is configured as prescribed by the Debian maintainers.
+
**2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - Hedgehog Linux is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel.
**3.3 Set Boot Loader Password** - As maximizing availability is a system requirement, Malcolm should restart automatically without user intervention to ensured uninterrupted service. A boot loader password is not enabled.
**4.8 Disable USB Devices** - The ability to ingest data (such as PCAP files) from a mounted USB mass storage device is a requirement of the system.
+**5.2 Install screen** - Hedgehog Linux comes with `tmux`, a modern `screen` alternative.
+
**6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - An X Windows session is provided for displaying dashboards. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by Hedgehog Linux, but the `avahi` and `cups` services themselves are disabled.
**6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic analysis appliance rather than an end-user device, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary.
@@ -32,8 +36,16 @@ Hedgehog Linux claims exceptions from the recommendations in this benchmark in t
**8.1.1.2 Disable System on Audit Log Full**, **8.1.1.3 Keep All Auditing Information**, **8.1.1.5 Ensure set remote_server for audit service**, **8.1.1.6 Ensure enable_krb5 set to yes for remote audit service**, **8.1.1.7 Ensure set action for audit storage volume is fulled**, **8.1.1.8 Ensure set action for network failure on remote audit service**, **8.1.1.9 Set space left for auditd service**, a few other audit-related items under section **8.1**, **8.2.4 Configure rsyslog to Send Logs to a Remote Log Host** - As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. `auditd` is set up to syslog when its local storage capacity is reached.
+**8.2.1 Install the rsyslog package**, **8.2.2 Enable rsyslog**, **8.2.3 Create and Set Permissions on rsyslog Log Files by conf file**, **8.3.1 Install the syslog-ng package**, **8.3.2 Ensure the syslog-ng Service is activated**, - Modern Debian-based Linux systems now use journald instead of rsyslog or syslog-ng. On Malcolm, these logs are available using journalctl and can be configured to be forwarded into the Malcolm data store using Fluent Bit.
+
**8.4.2 Implement Periodic Execution of File Integrity** - This functionality is not configured by default, but it can be configured post-install by the end user.
+**8.5 Ensure permissions on all logfiles are configured** - It is the opinion of the Malcolm development team that the log files found in `/var/log` on the Malcolm base operating system are set with secure file permissions, despite what the [audit script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh) for this item suggests.
+
+**8.7.1 Ensure journald is configured to compress large log files** - Malcolm does not enable compression for journald logs to ensure that they remain readable by [Fluent Bit](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) (see [this related issue](https://github.com/fluent/fluent-bit/issues/2998)) for forwarding into the Malcolm data store.
+
+**8.7.2 Ensure journald is configured to write logfiles to persistent disk** - Journald's `Storage` setting remains set to the default `auto` value in the Malcolm base operating system. However, these logs can be configured to be forwarded into the Malcolm data store, at which point they are persisted to disk.
+
Password-related recommendations under **9.2** and **10.1** - The library package `libpam-pwquality` is used in favor of `libpam-cracklib` which is what the [compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) are looking for. Also, as an appliance running Malcolm is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed.
**9.3.13 Limit Access via SSH** - Hedgehog Linux does not create multiple regular user accounts: only `root` and a sensor service account are used. SSH access for `root` is disabled. SSH login with a password is also disallowed: only key-based authentication is accepted. The service account accepts no keys by default. As such, the `AllowUsers`, `AllowGroups`, `DenyUsers`, and `DenyGroups` values in `sshd_config` do not apply.
@@ -54,6 +66,8 @@ Please review the notes for these additional guidelines. While not claiming an e
**5.4 Ensure ctrl-alt-del is disabled** - Hedgehog Linux disables the `ctrl+alt+delete` key sequence by executing `systemctl disable ctrl-alt-del.target` during installation and the command `systemctl mask ctrl-alt-del.target` at boot time.
+**6.5 Ensure time sync server is installed**, **6.19 Configure Network Time Protocol (NTP)**, and **6.20 Configure Network Time Protocol (chrony)** - The Malcolm aggregator base operating system [can be configured](malcolm-hedgehog-e2e-iso-install.md#MalcolmTimeSync) to synchronize time using either Network Time Protocol (NTP) or HTP (HTTP Time Protocol). The audit scripts for checking and configuring NTP do not check for binaries provided by the `ntpsec` package Malcolm uses, which is why this is incorrectly flagged as noncompliant.
+
**7.4.4 Create /etc/hosts.deny**, **7.7.1 Ensure Firewall is active**, **7.7.4.1 Ensure default deny firewall policy**, **7.7.4.2 Ensure loopback traffic is configured**, **7.7.4.3 Ensure default deny firewall policy**, **7.7.4.4 Ensure outbound and established connections are configured** - Hedgehog Linux **is** configured with an appropriately locked-down software firewall (managed by "Uncomplicated Firewall" `ufw`). However, the methods outlined in the CIS benchmark recommendations do not account for this configuration.
**8.6 Verifies integrity all packages** - The [script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.7_verify_integrity_packages.sh) which verifies package integrity only "fails" because of missing (status `??5??????` displayed by the utility) language ("locale") files, which are removed as part of Hedgehog Linux's trimming-down process. All non-locale-related system files pass intergrity checks.
\ No newline at end of file
diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md
index 7713cecb2..1ca269878 100644
--- a/docs/hedgehog-iso-build.md
+++ b/docs/hedgehog-iso-build.md
@@ -31,7 +31,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
```
…
-Finished, created "/sensor-build/hedgehog-24.10.0.iso"
+Finished, created "/sensor-build/hedgehog-24.10.1.iso"
…
```
diff --git a/docs/images/logo/Malcolm_outline.svg b/docs/images/logo/Malcolm_outline.svg
index 01da04f33..dc33a0e2b 100644
--- a/docs/images/logo/Malcolm_outline.svg
+++ b/docs/images/logo/Malcolm_outline.svg
@@ -16,7 +16,7 @@
version="1.1"
id="svg131"
inkscape:version="0.92.4 (5da689c313, 2019-01-14)"
- inkscape:export-filename="/home/tlacuache/Malcolm_outline_banner.png"
+ inkscape:export-filename="Malcolm_outline_banner.png"
inkscape:export-xdpi="96"
inkscape:export-ydpi="96">
amazon-ebs: Prevalidating any provided VPC information
- ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z
+ ==> amazon-ebs: Prevalidating AMI Name: malcolm-v24.10.1-x86_64-2024-10-10T15-41-32Z
amazon-ebs: Found Image ID: ami-xxxxxxxxxxxxxxxxx
...
@@ -53,16 +53,16 @@ The files referenced in this section can be found in [scripts/third-party-enviro
==> amazon-ebs: Adding tags to AMI (ami-xxxxxxxxxxxxxxxxx)...
==> amazon-ebs: Tagging snapshot: snap-xxxxxxxxxxxxxxxxx
==> amazon-ebs: Creating AMI tags
- amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.0"
- amazon-ebs: Adding tag: "source_ami_name": "amzn2-ami-kernel-5.10-hvm-2.0.20240521.0-arm64-gp2"
+ amazon-ebs: Adding tag: "Malcolm": "idaholab/Malcolm/v24.10.1"
+ amazon-ebs: Adding tag: "source_ami_name": "al2023-ami-ecs-hvm-2023.0.20241003-kernel-6.1-x86_64"
==> amazon-ebs: Creating snapshot tags
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary keypair...
- Build 'amazon-ebs' finished after 23 minutes 58 seconds.
+ Build 'amazon-ebs' finished after 19 minutes 57 seconds.
- ==> Wait completed after 23 minutes 58 seconds
+ ==> Wait completed after 19 minutes 57 seconds
==> Builds finished. The artifacts of successful builds are:
--> amazon-ebs: AMIs were created:
@@ -76,10 +76,10 @@ The files referenced in this section can be found in [scripts/third-party-enviro
{
"Images": [
{
- "Architecture": "arm64",
+ "Architecture": "x86_64",
"CreationDate": "2024-05-30T14:02:21.000Z",
"ImageId": "ami-xxxxxxxxxxxxxxxxx",
- "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z",
+ "ImageLocation": "xxxxxxxxxxxx/malcolm-v24.10.1-arm64-2024-05-30T13-57-31Z",
"ImageType": "machine",
"Public": false,
"OwnerId": "xxxxxxxxxxxx",
@@ -92,7 +92,7 @@ The files referenced in this section can be found in [scripts/third-party-enviro
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-xxxxxxxxxxxxxxxxx",
- "VolumeSize": 20,
+ "VolumeSize": 30,
"VolumeType": "gp2",
"Encrypted": false
}
@@ -100,18 +100,18 @@ The files referenced in this section can be found in [scripts/third-party-enviro
],
"EnaSupport": true,
"Hypervisor": "xen",
- "Name": "malcolm-v24.10.0-arm64-2024-05-30T13-57-31Z",
+ "Name": "malcolm-v24.10.1-arm64-2024-05-30T13-57-31Z",
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SriovNetSupport": "simple",
"Tags": [
{
"Key": "Malcolm",
- "Value": "idaholab/Malcolm/v24.10.0"
+ "Value": "idaholab/Malcolm/v24.10.1"
},
{
"Key": "source_ami_name",
- "Value": "amzn2-ami-kernel-5.10-hvm-2.0.20240521.0-arm64-gp2"
+ "Value": "al2023-ami-ecs-hvm-2023.0.20241003-kernel-6.1-x86_64"
}
],
"VirtualizationType": "hvm",
diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md
index 9e77c9c8d..d49211129 100644
--- a/docs/ubuntu-install-example.md
+++ b/docs/ubuntu-install-example.md
@@ -261,25 +261,25 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
-ghcr.io/idaholab/malcolm/api 24.10.0 xxxxxxxxxxxx 3 days ago 158MB
-ghcr.io/idaholab/malcolm/arkime 24.10.0 xxxxxxxxxxxx 3 days ago 816MB
-ghcr.io/idaholab/malcolm/dashboards 24.10.0 xxxxxxxxxxxx 3 days ago 1.02GB
-ghcr.io/idaholab/malcolm/dashboards-helper 24.10.0 xxxxxxxxxxxx 3 days ago 184MB
-ghcr.io/idaholab/malcolm/file-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 588MB
-ghcr.io/idaholab/malcolm/file-upload 24.10.0 xxxxxxxxxxxx 3 days ago 259MB
-ghcr.io/idaholab/malcolm/filebeat-oss 24.10.0 xxxxxxxxxxxx 3 days ago 624MB
-ghcr.io/idaholab/malcolm/freq 24.10.0 xxxxxxxxxxxx 3 days ago 132MB
-ghcr.io/idaholab/malcolm/htadmin 24.10.0 xxxxxxxxxxxx 3 days ago 242MB
-ghcr.io/idaholab/malcolm/logstash-oss 24.10.0 xxxxxxxxxxxx 3 days ago 1.35GB
-ghcr.io/idaholab/malcolm/netbox 24.10.0 xxxxxxxxxxxx 3 days ago 1.01GB
-ghcr.io/idaholab/malcolm/nginx-proxy 24.10.0 xxxxxxxxxxxx 3 days ago 121MB
-ghcr.io/idaholab/malcolm/opensearch 24.10.0 xxxxxxxxxxxx 3 days ago 1.17GB
-ghcr.io/idaholab/malcolm/pcap-capture 24.10.0 xxxxxxxxxxxx 3 days ago 121MB
-ghcr.io/idaholab/malcolm/pcap-monitor 24.10.0 xxxxxxxxxxxx 3 days ago 213MB
-ghcr.io/idaholab/malcolm/postgresql 24.10.0 xxxxxxxxxxxx 3 days ago 268MB
-ghcr.io/idaholab/malcolm/redis 24.10.0 xxxxxxxxxxxx 3 days ago 34.2MB
-ghcr.io/idaholab/malcolm/suricata 24.10.0 xxxxxxxxxxxx 3 days ago 278MB
-ghcr.io/idaholab/malcolm/zeek 24.10.0 xxxxxxxxxxxx 3 days ago 1GB
+ghcr.io/idaholab/malcolm/api 24.10.1 xxxxxxxxxxxx 3 days ago 158MB
+ghcr.io/idaholab/malcolm/arkime 24.10.1 xxxxxxxxxxxx 3 days ago 816MB
+ghcr.io/idaholab/malcolm/dashboards 24.10.1 xxxxxxxxxxxx 3 days ago 1.02GB
+ghcr.io/idaholab/malcolm/dashboards-helper 24.10.1 xxxxxxxxxxxx 3 days ago 184MB
+ghcr.io/idaholab/malcolm/file-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 588MB
+ghcr.io/idaholab/malcolm/file-upload 24.10.1 xxxxxxxxxxxx 3 days ago 259MB
+ghcr.io/idaholab/malcolm/filebeat-oss 24.10.1 xxxxxxxxxxxx 3 days ago 624MB
+ghcr.io/idaholab/malcolm/freq 24.10.1 xxxxxxxxxxxx 3 days ago 132MB
+ghcr.io/idaholab/malcolm/htadmin 24.10.1 xxxxxxxxxxxx 3 days ago 242MB
+ghcr.io/idaholab/malcolm/logstash-oss 24.10.1 xxxxxxxxxxxx 3 days ago 1.35GB
+ghcr.io/idaholab/malcolm/netbox 24.10.1 xxxxxxxxxxxx 3 days ago 1.01GB
+ghcr.io/idaholab/malcolm/nginx-proxy 24.10.1 xxxxxxxxxxxx 3 days ago 121MB
+ghcr.io/idaholab/malcolm/opensearch 24.10.1 xxxxxxxxxxxx 3 days ago 1.17GB
+ghcr.io/idaholab/malcolm/pcap-capture 24.10.1 xxxxxxxxxxxx 3 days ago 121MB
+ghcr.io/idaholab/malcolm/pcap-monitor 24.10.1 xxxxxxxxxxxx 3 days ago 213MB
+ghcr.io/idaholab/malcolm/postgresql 24.10.1 xxxxxxxxxxxx 3 days ago 268MB
+ghcr.io/idaholab/malcolm/redis 24.10.1 xxxxxxxxxxxx 3 days ago 34.2MB
+ghcr.io/idaholab/malcolm/suricata 24.10.1 xxxxxxxxxxxx 3 days ago 278MB
+ghcr.io/idaholab/malcolm/zeek 24.10.1 xxxxxxxxxxxx 3 days ago 1GB
```
Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing.
diff --git a/hedgehog-iso/build.sh b/hedgehog-iso/build.sh
index 8390e6c63..5add931b1 100755
--- a/hedgehog-iso/build.sh
+++ b/hedgehog-iso/build.sh
@@ -5,7 +5,7 @@ IMAGE_PUBLISHER=cisagov
IMAGE_VERSION=1.0.0
IMAGE_DISTRIBUTION=bookworm
-BEATS_VER="8.15.2"
+BEATS_VER="8.15.3"
BEATS_OSS="-oss"
ARKIME_VER="5.4.0"
diff --git a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index 50f9e89af..8c40a1f7c 100755
--- a/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/hedgehog-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -201,6 +201,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${yq_tar_url}" | tar -xzf - ./yq_linux_${ARCH
mv ./yq_linux_${ARCH} /usr/bin/yq
chmod 755 /usr/bin/yq
+chown root:root /usr/bin/yq
###
# supercronic
@@ -220,6 +221,7 @@ curl "${GITHUB_API_CURL_ARGS[@]}" "${croc_tar_url}" | tar -xzf - croc
mv ./croc /usr/local/bin/croc
chmod 755 /usr/local/bin/croc
+chown root:root /usr/local/bin/croc
###
# update clamav signatures
diff --git a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot
index 4801ca047..e4fa64082 100755
--- a/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot
+++ b/hedgehog-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -117,6 +117,7 @@ sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf
find /etc/audit -type d -exec chmod 750 "{}" \;
find /etc/audit -type f -exec chmod 640 "{}" \;
chmod 600 /etc/ssh/sshd_config
+chmod o-w /run/sendmail/mta/smsocket
# set DIR_MODE to 750 for new users
sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf
@@ -178,7 +179,7 @@ cat << 'EOF' >> /etc/fluent-bit/parsers.conf
Format logfmt
EOF
-# remove identifying operating system information
+# remove identifying operating system information from /etc/issue*
truncate -s 0 /etc/motd
sed -i "s/Debian/Hedgehog/g" /etc/issue
sed -i "s/Debian/Hedgehog/g" /etc/issue.net
diff --git a/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules b/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
index bdc53a2fd..5dcaaab91 100644
--- a/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
+++ b/hedgehog-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
@@ -34,10 +34,14 @@
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
+-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
+-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec
+-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@@ -78,6 +82,7 @@
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
@@ -87,6 +92,7 @@
-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
@@ -126,6 +132,9 @@
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
+-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
+-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use
+-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /var/log/btmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
@@ -138,24 +147,35 @@
# syscalls
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
+-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
# Make the configuration immutable -- reboot is required to change audit rules
-e 2
diff --git a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config
index 84e31145f..d1ad39c03 100644
--- a/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config
+++ b/hedgehog-iso/config/includes.chroot/etc/ssh/sshd_config
@@ -111,7 +111,7 @@ ClientAliveCountMax 0
#ChrootDirectory none
#VersionAddendum none
-Banner=/etc/issue
+Banner=/etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
diff --git a/shared/bin/configure-capture.py b/hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py
similarity index 100%
rename from shared/bin/configure-capture.py
rename to hedgehog-iso/config/includes.chroot/usr/local/bin/configure-capture.py
diff --git a/shared/bin/sensor-init.sh b/hedgehog-iso/config/includes.chroot/usr/local/bin/sensor-init.sh
similarity index 100%
rename from shared/bin/sensor-init.sh
rename to hedgehog-iso/config/includes.chroot/usr/local/bin/sensor-init.sh
diff --git a/shared/bin/ufw_allow_requests.sh b/hedgehog-iso/config/includes.chroot/usr/local/bin/ufw_allow_requests.sh
similarity index 100%
rename from shared/bin/ufw_allow_requests.sh
rename to hedgehog-iso/config/includes.chroot/usr/local/bin/ufw_allow_requests.sh
diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
index 9b66dccfc..e456d7d15 100644
--- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
+++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r
global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT"));
global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F;
@@ -282,6 +283,7 @@ event zeek_init() &priority=-5 {
redef LDAP::default_capture_password = T;
@endif
+redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count;
redef HTTP::log_client_header_names = T;
redef HTTP::log_server_header_names = T;
redef LDAP::default_log_search_attributes = F;
diff --git a/hedgehog-iso/config/package-lists/system.list.chroot b/hedgehog-iso/config/package-lists/system.list.chroot
index 47d6d3f99..288441685 100644
--- a/hedgehog-iso/config/package-lists/system.list.chroot
+++ b/hedgehog-iso/config/package-lists/system.list.chroot
@@ -145,7 +145,6 @@ rar
rename
rtkit
samba-libs
-screen
sed
sharutils
shed
diff --git a/hedgehog-iso/interface/sensor_ctl/control_vars.conf b/hedgehog-iso/interface/sensor_ctl/control_vars.conf
index 4dd4eac96..d7c9ec680 100644
--- a/hedgehog-iso/interface/sensor_ctl/control_vars.conf
+++ b/hedgehog-iso/interface/sensor_ctl/control_vars.conf
@@ -145,6 +145,7 @@ export ZEEK_DISABLE_ICS_PROFINET=
export ZEEK_DISABLE_ICS_PROFINET_IO_CM=
export ZEEK_DISABLE_ICS_S7COMM=
export ZEEK_DISABLE_ICS_SYNCHROPHASOR=
+export ZEEK_JA4SSH_PACKET_COUNT=200
export ZEEK_SYNCHROPHASOR_PORTS=
export ZEEK_SYNCHROPHASOR_DETAILED=
export ZEEK_GENISYS_PORTS=
diff --git a/hedgehog-raspi/Makefile b/hedgehog-raspi/Makefile
index 2067f470c..ba24cb568 100644
--- a/hedgehog-raspi/Makefile
+++ b/hedgehog-raspi/Makefile
@@ -1,9 +1,9 @@
all: shasums
# List all the supported and built Pi platforms here. They get expanded
-# to names like 'raspi_2_buster.yaml' and 'raspi_3_bullseye.img.xz'.
-BUILD_FAMILIES := 1 2 3 4
-BUILD_RELEASES := bullseye bookworm trixie
+# to names like 'raspi_4_bookworm.yaml' and 'raspi_5_bookworm.img.xz'.
+BUILD_FAMILIES := 4 5
+BUILD_RELEASES := bookworm
platforms := $(foreach plat, $(BUILD_FAMILIES),$(foreach rel, $(BUILD_RELEASES), raspi_$(plat)_$(rel)))
@@ -57,7 +57,7 @@ _ck_root:
[ `whoami` = 'root' ] # Only root can summon vmdb2 ☹
_clean_yaml:
- rm -f $(addsuffix .yaml,$(platforms)) raspi_base_bullseye.yaml raspi_base_bookworm.yaml raspi_base_trixie.yaml
+ rm -f $(addsuffix .yaml,$(platforms)) raspi_base_bookworm.yaml
_clean_images:
rm -f $(addsuffix .img,$(platforms))
_clean_xzimages:
diff --git a/hedgehog-raspi/README.md b/hedgehog-raspi/README.md
index c53ddfee9..debcd5821 100644
--- a/hedgehog-raspi/README.md
+++ b/hedgehog-raspi/README.md
@@ -54,26 +54,32 @@ you'll need to execute `make` as root.
The argument to `make` is constructed as follows:
`raspi__.`
-Whereby is one of `1`, `2`, `3` or `4`, is either
-`bullseye`, `bookworm`, or `trixie`; and is `img` or `yaml`.
+Whereby is one of `4` or `5`; is `bookworm`; and is `img` or `yaml`.
Model `1` should be used for the Raspberry Pi 0, 0w and 1, models A and
B. Model `2` for the Raspberry Pi 2 models A and B. Model `3` for all
-models of the Raspberry Pi 3 and model `4` for all models of the
-Raspberry Pi 4.
-So if you want to build the default image for a Raspberry Pi 3B+ with
-Bullseye, you can just issue:
+models of the Raspberry Pi 3, model `4` for all models of the
+Raspberry Pi 4, and model `5` for all models of the
+Raspberry Pi 5.
+So if you want to build the default image for a Raspberry Pi 4 with
+Bookworm, you can just issue:
```shell
make raspi_4_bookworm.img
```
-**NOTE:** While this setup will build hedgehog for all raspberry pi variants, it is highly unlikely
-that any variant other than RPI 4 (8GB version) will have adequate resources to function effectively as a sensor.
-
At this point; it might be wise to go do something else. The build **WILL** take a while.
Initial testing on a 8-core 16GB build machine took approximately 5.5 hours to complete the image.
+**NOTE:** While this setup will build hedgehog for all raspberry pi variants, it is highly unlikely
+that any variant other than RPI 4 (8GB version) or higher will have adequate resources to function effectively as a sensor.
+
+**NOTE:** Raspberry Pi 5 is **not yet supported** due to missing upstream kernel support. See the following resources:
+
+* [Debian Wiki](https://raspi.debian.net/faq/#faq-rpi5)
+* [Debian Mailing list, March 2024](https://lists.debian.org/debian-arm/2024/03/msg00009.html)
+* [Debian Mailing list, November 2023](https://lists.debian.org/debian-arm/2023/11/msg00025.html)
+
## Installing the image onto the Raspberry Pi
If the build completes properly, it can be tested locally before writing to an SD card if desired.
@@ -94,25 +100,25 @@ important parts of your system. Double check it's the correct
device!), copy the image onto the SD card:
```shell
-bmaptool copy raspi_3_bullseye.img.xz /dev/mmcblk0
+bmaptool copy raspi_3_bookworm.img.xz /dev/mmcblk0
```
Alternatively, if you don't have `bmap-tools` installed, you can use
`dd` with the compressed image:
```shell
-xzcat raspi_3_bullseye.img.xz | dd of=/dev/mmcblk0 bs=64k oflag=dsync status=progress
+xzcat raspi_3_bookworm.img.xz | dd of=/dev/mmcblk0 bs=64k oflag=dsync status=progress
```
Or with the uncompressed image:
```shell
-dd if=raspi_3_bullseye.img of=/dev/mmcblk0 bs=64k oflag=dsync status=progress
+dd if=raspi_3_bookworm.img of=/dev/mmcblk0 bs=64k oflag=dsync status=progress
```
Then, plug the SD card into the Raspberry Pi, and power it up.
-The image uses the hostname `Hedgehog-rpi-0w`, `Hedgehog-rpi-2`, `Hedgehog-rpi-3`, or `Hedgehog-rpi-4` depending on the
+The image uses the hostname `Hedgehog-rpi-0w`, `Hedgehog-rpi-2`, `Hedgehog-rpi-3`, `Hedgehog-rpi-4`, `Hedgehog-rpi-5` depending on the
target build. The provided image will allow you to log in with the
`sensor` account with a default password of `Hedgehog_Linux` or
`root` account with a default password of `Hedgehog_Linux_Root`, but only logging in at the
diff --git a/hedgehog-raspi/generate-recipe.py b/hedgehog-raspi/generate-recipe.py
index c0d43bed2..79e1ebf95 100755
--- a/hedgehog-raspi/generate-recipe.py
+++ b/hedgehog-raspi/generate-recipe.py
@@ -18,7 +18,7 @@
sys.exit(1)
version = sys.argv[1]
-if version not in ["1", "2", "3", "4"]:
+if version not in ["4", "5"]:
print("E: unsupported version %s" % version, file=sys.stderr)
sys.exit(1)
@@ -32,15 +32,7 @@
### Setting variables based on suite and version starts here
# Arch, kernel, DTB:
-if version == '1':
- arch = 'armel'
- linux = 'linux-image-rpi'
- dtb = '/usr/lib/linux-image-*-rpi/bcm*rpi-*.dtb'
-elif version == '2':
- arch = 'armhf'
- linux = 'linux-image-armmp'
- dtb = '/usr/lib/linux-image-*-armmp/bcm*rpi*.dtb'
-elif version in ['3', '4']:
+if version in ['4', '5']:
arch = 'arm64'
linux = 'linux-image-arm64'
dtb = '/usr/lib/linux-image-*-arm64/broadcom/bcm*rpi*.dtb'
@@ -53,28 +45,20 @@
firmware_component_old = 'non-free'
# wireless firmware:
-if version != '2':
- wireless_firmware = 'firmware-brcm80211'
-else:
- wireless_firmware = ''
+wireless_firmware = 'firmware-brcm80211'
# bluetooth firmware:
-if version != '2':
- bluetooth_firmware = 'bluez-firmware'
-else:
- bluetooth_firmware = ''
+bluetooth_firmware = 'bluez-firmware'
# We're pulling suricata from backports
backports_enable = True
backports_suite = '%s-backports' % suite
# Serial console:
-if version in ['1', '2']:
- serial = 'ttyAMA0,115200'
-elif version in ['3', '4']:
+if version in ['4', '5']:
serial = 'ttyS1,115200'
-# CMA fixup:
+# CMA fixup (TODO: does this apply to Rpi5?):
extra_chroot_shell_cmds = []
if version == '4':
extra_chroot_shell_cmds = [
@@ -111,7 +95,6 @@
% MALCOLM_DIR,
]
-# Extend list just in case version is 4
extra_chroot_shell_cmds.extend(
[
'chmod 755 /root/sensor_install.sh',
diff --git a/hedgehog-raspi/raspi_master.yaml b/hedgehog-raspi/raspi_master.yaml
index 38ed3e9f1..5facd2b46 100644
--- a/hedgehog-raspi/raspi_master.yaml
+++ b/hedgehog-raspi/raspi_master.yaml
@@ -1,5 +1,4 @@
---
-# See https://wiki.debian.org/RaspberryPi3 for known issues and more details.
# image.yml based on revision: __GITCOMMIT__
steps:
diff --git a/hedgehog-raspi/sensor_install.sh b/hedgehog-raspi/sensor_install.sh
index 0310104e6..43f8404c2 100644
--- a/hedgehog-raspi/sensor_install.sh
+++ b/hedgehog-raspi/sensor_install.sh
@@ -34,7 +34,7 @@ SENSOR_DIR='/opt/sensor'
ARKIME_VERSION="5.4.0"
-BEATS_VER="8.15.2"
+BEATS_VER="8.15.3"
BEATS_OSS="-oss"
# Option to build from sources if desired
@@ -251,6 +251,7 @@ clean_up() {
# Set Hedgehog banner
mv /root/hedgehog-ascii-text.txt /etc/issue
+ cp /etc/issue /etc/issue.net
# Remove ethernet interface files left by installation
# Sensor setup will create necessary files when user runs setup
diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml
index d216b4aa0..815a87763 100644
--- a/kubernetes/03-opensearch.yml
+++ b/kubernetes/03-opensearch.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: opensearch-container
- image: ghcr.io/idaholab/malcolm/opensearch:24.10.0
+ image: ghcr.io/idaholab/malcolm/opensearch:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -71,7 +71,7 @@ spec:
subPath: "opensearch"
initContainers:
- name: opensearch-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml
index 37f58106a..87afa4b6e 100644
--- a/kubernetes/04-dashboards.yml
+++ b/kubernetes/04-dashboards.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: dashboards-container
- image: ghcr.io/idaholab/malcolm/dashboards:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml
index e094081c0..67dc3fd0e 100644
--- a/kubernetes/05-upload.yml
+++ b/kubernetes/05-upload.yml
@@ -34,7 +34,7 @@ spec:
spec:
containers:
- name: upload-container
- image: ghcr.io/idaholab/malcolm/file-upload:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-upload:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -73,7 +73,7 @@ spec:
subPath: "upload"
initContainers:
- name: upload-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml
index c947523c8..03509338a 100644
--- a/kubernetes/06-pcap-monitor.yml
+++ b/kubernetes/06-pcap-monitor.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: pcap-monitor-container
- image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-monitor:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -70,7 +70,7 @@ spec:
name: pcap-monitor-zeek-volume
initContainers:
- name: pcap-monitor-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml
index bf363d3a4..6e4de9a78 100644
--- a/kubernetes/07-arkime.yml
+++ b/kubernetes/07-arkime.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: arkime-container
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -81,7 +81,7 @@ spec:
name: arkime-pcap-volume
initContainers:
- name: arkime-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml
index 860ed225a..407c75e2d 100644
--- a/kubernetes/08-api.yml
+++ b/kubernetes/08-api.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: api-container
- image: ghcr.io/idaholab/malcolm/api:24.10.0
+ image: ghcr.io/idaholab/malcolm/api:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -53,6 +53,8 @@ spec:
name: process-env
- configMapRef:
name: ssl-env
+ - configMapRef:
+ name: upload-common-env
- configMapRef:
name: dashboards-env
- configMapRef:
diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml
index 98769d4b3..8b06a86fd 100644
--- a/kubernetes/09-dashboards-helper.yml
+++ b/kubernetes/09-dashboards-helper.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: dashboards-helper-container
- image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.0
+ image: ghcr.io/idaholab/malcolm/dashboards-helper:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml
index 7900c7a29..b48a0700a 100644
--- a/kubernetes/10-zeek.yml
+++ b/kubernetes/10-zeek.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: zeek-offline-container
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -62,7 +62,7 @@ spec:
subPath: "zeek/intel"
initContainers:
- name: zeek-offline-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml
index 4af3177ae..74df4bce9 100644
--- a/kubernetes/11-suricata.yml
+++ b/kubernetes/11-suricata.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: suricata-offline-container
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -55,7 +55,7 @@ spec:
name: suricata-offline-custom-configs-volume
initContainers:
- name: suricata-offline-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml
index dc2f4b4b5..c40d56c15 100644
--- a/kubernetes/12-file-monitor.yml
+++ b/kubernetes/12-file-monitor.yml
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: file-monitor-container
- image: ghcr.io/idaholab/malcolm/file-monitor:24.10.0
+ image: ghcr.io/idaholab/malcolm/file-monitor:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -83,7 +83,7 @@ spec:
name: file-monitor-yara-rules-custom-volume
initContainers:
- name: file-monitor-live-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml
index a9c45be20..4bad9aed5 100644
--- a/kubernetes/13-filebeat.yml
+++ b/kubernetes/13-filebeat.yml
@@ -33,7 +33,7 @@ spec:
spec:
containers:
- name: filebeat-container
- image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/filebeat-oss:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -83,7 +83,7 @@ spec:
subPath: "nginx"
initContainers:
- name: filebeat-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml
index e1c8823e8..88192e877 100644
--- a/kubernetes/14-logstash.yml
+++ b/kubernetes/14-logstash.yml
@@ -49,7 +49,7 @@ spec:
# topologyKey: "kubernetes.io/hostname"
containers:
- name: logstash-container
- image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.0
+ image: ghcr.io/idaholab/malcolm/logstash-oss:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -115,7 +115,7 @@ spec:
subPath: "logstash"
initContainers:
- name: logstash-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml
index 4267666bd..9acc15d83 100644
--- a/kubernetes/15-netbox-redis.yml
+++ b/kubernetes/15-netbox-redis.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: netbox-redis-container
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -83,7 +83,7 @@ spec:
subPath: netbox/redis
initContainers:
- name: netbox-redis-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml
index 8bf968227..ceff58143 100644
--- a/kubernetes/16-netbox-redis-cache.yml
+++ b/kubernetes/16-netbox-redis-cache.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: netbox-redis-cache-container
- image: ghcr.io/idaholab/malcolm/redis:24.10.0
+ image: ghcr.io/idaholab/malcolm/redis:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml
index c96d1bb4c..9beb6150c 100644
--- a/kubernetes/17-netbox-postgres.yml
+++ b/kubernetes/17-netbox-postgres.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: netbox-postgres-container
- image: ghcr.io/idaholab/malcolm/postgresql:24.10.0
+ image: ghcr.io/idaholab/malcolm/postgresql:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -74,7 +74,7 @@ spec:
subPath: netbox/postgres
initContainers:
- name: netbox-postgres-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml
index 5d3d59a15..b2d8add31 100644
--- a/kubernetes/18-netbox.yml
+++ b/kubernetes/18-netbox.yml
@@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: netbox-container
- image: ghcr.io/idaholab/malcolm/netbox:24.10.0
+ image: ghcr.io/idaholab/malcolm/netbox:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -88,7 +88,7 @@ spec:
subPath: netbox/media
initContainers:
- name: netbox-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml
index 9438eae0c..7e61e21e2 100644
--- a/kubernetes/19-htadmin.yml
+++ b/kubernetes/19-htadmin.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: htadmin-container
- image: ghcr.io/idaholab/malcolm/htadmin:24.10.0
+ image: ghcr.io/idaholab/malcolm/htadmin:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -63,7 +63,7 @@ spec:
subPath: "htadmin"
initContainers:
- name: htadmin-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml
index 44a13f65d..f246b88a1 100644
--- a/kubernetes/20-pcap-capture.yml
+++ b/kubernetes/20-pcap-capture.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: pcap-capture-container
- image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.0
+ image: ghcr.io/idaholab/malcolm/pcap-capture:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -50,7 +50,7 @@ spec:
subPath: "upload"
initContainers:
- name: pcap-capture-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml
index 4c2d1fd69..3586e4044 100644
--- a/kubernetes/21-zeek-live.yml
+++ b/kubernetes/21-zeek-live.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: zeek-live-container
- image: ghcr.io/idaholab/malcolm/zeek:24.10.0
+ image: ghcr.io/idaholab/malcolm/zeek:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -61,7 +61,7 @@ spec:
subPath: "zeek/intel"
initContainers:
- name: zeek-live-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml
index 80d085b12..f587c370b 100644
--- a/kubernetes/22-suricata-live.yml
+++ b/kubernetes/22-suricata-live.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: suricata-live-container
- image: ghcr.io/idaholab/malcolm/suricata:24.10.0
+ image: ghcr.io/idaholab/malcolm/suricata:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -56,7 +56,7 @@ spec:
name: suricata-live-custom-configs-volume
initContainers:
- name: suricata-live-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/23-arkime-live.yml b/kubernetes/23-arkime-live.yml
index 39f5deb30..2b0a72754 100644
--- a/kubernetes/23-arkime-live.yml
+++ b/kubernetes/23-arkime-live.yml
@@ -16,7 +16,7 @@ spec:
spec:
containers:
- name: arkime-live-container
- image: ghcr.io/idaholab/malcolm/arkime:24.10.0
+ image: ghcr.io/idaholab/malcolm/arkime:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -64,7 +64,7 @@ spec:
name: arkime-live-pcap-volume
initContainers:
- name: arkime-live-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/24-freq.yml b/kubernetes/24-freq.yml
index 87bd1ff95..c88134128 100644
--- a/kubernetes/24-freq.yml
+++ b/kubernetes/24-freq.yml
@@ -30,7 +30,7 @@ spec:
spec:
containers:
- name: freq-container
- image: ghcr.io/idaholab/malcolm/freq:24.10.0
+ image: ghcr.io/idaholab/malcolm/freq:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml
index 9608d5163..b1d97fb4c 100644
--- a/kubernetes/98-nginx-proxy.yml
+++ b/kubernetes/98-nginx-proxy.yml
@@ -39,7 +39,7 @@ spec:
spec:
containers:
- name: nginx-proxy-container
- image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.0
+ image: ghcr.io/idaholab/malcolm/nginx-proxy:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
@@ -99,7 +99,7 @@ spec:
subPath: "nginx"
initContainers:
- name: nginx-dirinit-container
- image: ghcr.io/idaholab/malcolm/dirinit:24.10.0
+ image: ghcr.io/idaholab/malcolm/dirinit:24.10.1
imagePullPolicy: Always
stdin: false
tty: true
diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml
index b6c43d01d..96bb74e0a 100644
--- a/logstash/maps/malcolm_severity.yaml
+++ b/logstash/maps/malcolm_severity.yaml
@@ -1,4 +1,4 @@
-# keys should match the event.severity_tags values set in 19_severity.conf
+# keys should match the event.severity_tags values set in 1900_severity.conf
"Cross-segment traffic": 20
"External traffic": 20
"Inbound traffic": 50
diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml
index 0c3235d98..cd8883b6b 100644
--- a/logstash/maps/zeek_log_ecs_categories.yaml
+++ b/logstash/maps/zeek_log_ecs_categories.yaml
@@ -102,6 +102,7 @@
"tds_rpc": ["database", "network"]
"tds_sql_batch": ["database", "network"]
"tunnel": ["network"]
+"websocket": ["web", "network"]
"weird": ["intrusion_detection", "network"]
"wireguard": ["network"]
"x509": ["file", "network"]
\ No newline at end of file
diff --git a/logstash/pipelines/zeek/01_input_zeek.conf b/logstash/pipelines/zeek/0100_input_zeek.conf
similarity index 100%
rename from logstash/pipelines/zeek/01_input_zeek.conf
rename to logstash/pipelines/zeek/0100_input_zeek.conf
diff --git a/logstash/pipelines/zeek/10_zeek_prep.conf b/logstash/pipelines/zeek/1000_zeek_prep.conf
similarity index 100%
rename from logstash/pipelines/zeek/10_zeek_prep.conf
rename to logstash/pipelines/zeek/1000_zeek_prep.conf
diff --git a/logstash/pipelines/zeek/1001_zeek_parse.conf b/logstash/pipelines/zeek/1001_zeek_parse.conf
new file mode 100644
index 000000000..454ba8e53
--- /dev/null
+++ b/logstash/pipelines/zeek/1001_zeek_parse.conf
@@ -0,0 +1,82 @@
+########################
+# zeek -> arkime session creation and enrichment
+#
+# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation
+#
+# see source.zeeklogs.js for the Arkime code that turns these into UI fields
+#
+# to profile, debug:
+# - get filters sorted by execution time (where in > 0)
+# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
+# - get filters where in != out
+# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
+#
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below
+ if ([message] =~ /^{.*}$/) { json {
+ id => "json_zeek_message_parse"
+ source => "[message]"
+ target => "[zeek_cols]"
+ add_tag => [ "_jsonparsesuccess" ]
+ } }
+
+
+ # in JSON, do some global renaming of common fields to make them match the names we'd
+ # be assigning to them if we were reading TSV
+ if ("_jsonparsesuccess" in [tags]) {
+
+ # some of the ICSNPP parsers do an interesting thing to handle source and destination fields
+ # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields)
+ # so check for and handle those first
+ ruby {
+ id => "ruby_zeek_json_determine_source_destination_fields"
+ code => "
+ if ![event.get('[zeek_cols][source_h]').to_s,
+ event.get('[zeek_cols][source_p]').to_s,
+ event.get('[zeek_cols][destination_h]').to_s,
+ event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then
+ event.set('[@metadata][icsnpp_source_dest_fields]', 'true')
+ end
+ "
+ }
+ if ([@metadata][icsnpp_source_dest_fields]) {
+ mutate {
+ id => "mutate_rename_zeek_json_common_reversed_direction_fields"
+ rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" }
+ rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" }
+ rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" }
+ rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" }
+ rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" }
+ rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" }
+ rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" }
+ }
+
+ } else {
+ mutate {
+ id => "mutate_rename_zeek_json_common_fields"
+ rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" }
+ rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" }
+ rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" }
+ }
+ } # icsnpp_source_dest_fields or not
+ } # _jsonparsesuccess in tags
+
+ # for non-JSON:
+ # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it
+ # is not as flexible when it comes to missing or extra columns
+ # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62)
+ #
+ # So, if the dissect filter fails, we're going to fall back to split-then-zip solution.
+ # This should be a good tradeoff between performance (in the case where the Zeek logs
+ # match what we think they should look like) and flexibility (when they don't).
+ #
+ # The one drawback is that if you make a change to the fields in dissect, make sure
+ # you make the corresponding change in the ruby init code.
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1011_zeek_bacnet.conf b/logstash/pipelines/zeek/1011_zeek_bacnet.conf
new file mode 100644
index 000000000..841a0b415
--- /dev/null
+++ b/logstash/pipelines/zeek/1011_zeek_bacnet.conf
@@ -0,0 +1,146 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "bacnet") {
+ #############################################################################################################################
+ # bacnet.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bacnet"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bacnet"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bacnet"
+ init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]"
+ code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bacnet"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bacnet"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bacnet_device_control") {
+ #############################################################################################################################
+ # bacnet_device_control.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bacnet_device_control"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bacnet_device_control"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bacnet_device_control"
+ init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]"
+ code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bacnet_device_control"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bacnet"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bacnet_discovery") {
+ #############################################################################################################################
+ # bacnet_discovery.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bacnet_discovery"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bacnet_discovery"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bacnet_discovery"
+ init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bacnet_discovery"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bacnet"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bacnet_property") {
+ #############################################################################################################################
+ # bacnet_property.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bacnet_property"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bacnet_property"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bacnet_property"
+ init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]"
+ code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bacnet_property"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bacnet"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1012_zeek_bestguess.conf b/logstash/pipelines/zeek/1012_zeek_bestguess.conf
new file mode 100644
index 000000000..9067f3f09
--- /dev/null
+++ b/logstash/pipelines/zeek/1012_zeek_bestguess.conf
@@ -0,0 +1,37 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "bestguess") {
+ #############################################################################################################################
+ # bestguess.log
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bestguess"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bestguess"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bestguess"
+ init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]"
+ code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_ics_best_guess_log"
+ add_tag => [ "ics_best_guess" ] }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1013_zeek_bsap.conf b/logstash/pipelines/zeek/1013_zeek_bsap.conf
new file mode 100644
index 000000000..8a9f8f0b6
--- /dev/null
+++ b/logstash/pipelines/zeek/1013_zeek_bsap.conf
@@ -0,0 +1,185 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "bsap_ip_header") {
+ #############################################################################################################################
+ # bsap_ip_header.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bsap_ip_header"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bsap_ip_header"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bsap_ip_header"
+ init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bsap_ip_header"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bsap"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bsap_ip_rdb") {
+ #############################################################################################################################
+ # bsap_ip_rdb.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bsap_ip_rdb"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bsap_ip_rdb"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bsap_ip_rdb"
+ init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]"
+ code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bsap_ip_rdb"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "bsap"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bsap_serial_header") {
+ #############################################################################################################################
+ # bsap_serial_header.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bsap_serial_header"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bsap_serial_header"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bsap_serial_header"
+ init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bsap_serial_header"
+ add_field => {
+ "[zeek_cols][proto]" => "serial"
+ "[zeek_cols][service]" => "bsap"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bsap_serial_rdb") {
+ #############################################################################################################################
+ # bsap_serial_rdb.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bsap_serial_rdb"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bsap_serial_rdb"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bsap_serial_rdb"
+ init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]"
+ code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bsap_serial_rdb"
+ add_field => {
+ "[zeek_cols][proto]" => "serial"
+ "[zeek_cols][service]" => "bsap"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "bsap_serial_rdb_ext") {
+ #############################################################################################################################
+ # bsap_serial_rdb_ext.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_bsap_serial_rdb_ext"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_bsap_serial_rdb_ext"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_bsap_serial_rdb_ext"
+ init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_bsap_serial_rdb_ext"
+ add_field => {
+ "[zeek_cols][proto]" => "serial"
+ "[zeek_cols][service]" => "bsap"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ # for now, drop hex-encoded binary data for size
+ if ([zeek_cols][data]) {
+ mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data"
+ remove_field => [ "[zeek_cols][data]" ] }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1014_zeek_conn.conf b/logstash/pipelines/zeek/1014_zeek_conn.conf
new file mode 100644
index 000000000..29f2cb613
--- /dev/null
+++ b/logstash/pipelines/zeek/1014_zeek_conn.conf
@@ -0,0 +1,85 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "conn") {
+ #############################################################################################################################
+ # conn.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_conn_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_conn"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_conn"
+ init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]"
+ code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ # normalize service string(s)
+
+ # For some reason, even in JSON, I have service strings like:
+ # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",...
+ # so whatever reason it's not already an array. Split it here.
+ mutate { id => "mutate_split_zeek_conn_commas"
+ split => { "[zeek_cols][service]" => "," } }
+
+ # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
+ mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix"
+ gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
+
+ # if it's coming from spicy, we don't care to have that in the service name
+ mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix"
+ gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
+
+ mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix"
+ gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
+
+ if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') {
+ mutate { id => "mutate_add_field_zeek_srcBytes"
+ add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } }
+ }
+ if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') {
+ mutate { id => "mutate_add_field_zeek_dstBytes"
+ add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } }
+ }
+ if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') {
+ mutate { id => "mutate_add_field_zeek_srcPackets"
+ add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } }
+ }
+ if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') {
+ mutate { id => "mutate_add_field_zeek_srcDataBytes"
+ add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } }
+ }
+ if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') {
+ mutate { id => "mutate_add_field_zeek_dstPackets"
+ add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } }
+ }
+ if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') {
+ mutate { id => "mutate_add_field_zeek_dstDataBytes"
+ add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } }
+ }
+ if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') {
+ if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents"
+ split => { "[zeek_cols][tunnel_parents]" => "," } } }
+ mutate { id => "mutate_add_field_zeek_conn_rootId"
+ add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf
new file mode 100644
index 000000000..e2efbab9c
--- /dev/null
+++ b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "dce_rpc") {
+ #############################################################################################################################
+ # dce_rpc.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_dce_rpc"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dce_rpc"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dce_rpc"
+ init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]"
+ code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dce_rpc"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "dce_rpc"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1016_zeek_dhcp.conf b/logstash/pipelines/zeek/1016_zeek_dhcp.conf
new file mode 100644
index 000000000..f94df57df
--- /dev/null
+++ b/logstash/pipelines/zeek/1016_zeek_dhcp.conf
@@ -0,0 +1,77 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "dhcp") {
+ #############################################################################################################################
+ # dhcp.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_dhcp_fields"
+ rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" }
+ rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" }
+ rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" }
+ rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" }
+ rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_dhcp_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dhcp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dhcp"
+ init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]"
+ code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_dhcp_msg_types"
+ split => { "[zeek_cols][msg_types]" => "," } }
+ if ([zeek_cols][uid]) and
+ ([zeek_cols][uid] != '(empty)') and
+ ([zeek_cols][uid] != '') {
+ mutate { id => "mutate_split_zeek_dhcp_uids"
+ split => { "[zeek_cols][uid]" => "," } }
+ }
+ }
+
+ if ([zeek_cols][uid] and [zeek_cols][uid][0]) {
+ mutate { id => "mutate_add_field_zeek_dhcp_uids"
+ add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } }
+ }
+
+ if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) {
+ mutate {
+ id => "mutate_add_field_zeek_dhcp_ports"
+ add_field => {
+ "[zeek_cols][orig_p]" => 68
+ "[zeek_cols][resp_p]" => 67
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dhcp"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "dhcp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1017_zeek_diagnostic.conf b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf
new file mode 100644
index 000000000..b1c7025aa
--- /dev/null
+++ b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf
@@ -0,0 +1,336 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "analyzer") {
+ #############################################################################################################################
+ # analyzer.log
+ # Zeek Logging analyzer confirmations and violations into analyzer.log
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_analyzer"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_analyzer"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_analyzer"
+ init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that
+ # the UID/FUID and IP/ports make it suitable to be searched with the network data
+
+ } else if ([log_source] == "broker") {
+ #############################################################################################################################
+ # broker.log
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_broker_fields"
+ rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" }
+ rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" }
+ rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" }
+ rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" }
+ rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_diagnostic_broker"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_broker"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_broker"
+ init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_broker"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "capture_loss") {
+ #############################################################################################################################
+ # capture_loss.log
+ # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers.
+ # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_capture_loss"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_capture_loss"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_capture_loss"
+ init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "cluster") {
+ #############################################################################################################################
+ # cluster.log
+ # Logging for establishing and controlling a cluster of Zeek instances
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_cluster_fields"
+ rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_diagnostic_cluster"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_cluster"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_cluster"
+ init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_cluster"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "config") {
+ #############################################################################################################################
+ # config.log
+ # Logging for Zeek configuration changes
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_config"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_config"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_config"
+ init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_config"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "packet_filter") {
+ #############################################################################################################################
+ # packet_filter.log
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_packet_filter"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_packet_filter"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_packet_filter"
+ init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "print") {
+ #############################################################################################################################
+ # print.log
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_print"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_print"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_print"
+ init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "split_zeek_diagnostic_print_vals"
+ split => { "[zeek_cols][vals]" => "," } }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_print"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+
+ } else if ([log_source] == "reporter") {
+ #############################################################################################################################
+ # reporter.log
+ # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_reporter_fields"
+ rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_diagnostic_reporter"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_reporter"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_reporter"
+ init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_reporter"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "stats") {
+ #############################################################################################################################
+ # stats.log
+ # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_diagnostic_stats"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_diagnostic_stats"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_diagnostic_stats"
+ init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]"
+ code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_diagnostic_stats"
+ add_tag => [ "_zeekdiagnostic" ] }
+
+ } else if ([log_source] == "dpd") {
+ #############################################################################################################################
+ # dpd.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_dpd_fields"
+ rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_dpd"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dpd"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dpd"
+ init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]"
+ code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_lowercase_zeek_dpd_service"
+ lowercase => [ "[zeek_cols][service]" ] }
+
+ # normalize service string(s)
+ if ([zeek_cols][service] =~ /^spicy_/) {
+ # if it's coming from spicy, we don't care to have that in the service name
+ mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix"
+ gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
+
+ # some spicy services are named like blah_udp or blah_tcp,
+ # and we don't care about the _udp/_tcp suffix
+ mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix"
+ gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1018_zeek_dnp3.conf b/logstash/pipelines/zeek/1018_zeek_dnp3.conf
new file mode 100644
index 000000000..846343c79
--- /dev/null
+++ b/logstash/pipelines/zeek/1018_zeek_dnp3.conf
@@ -0,0 +1,103 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "dnp3") {
+ #############################################################################################################################
+ # dnp3.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_dnp3"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dnp3"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dnp3"
+ init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]"
+ code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dnp3"
+ add_field => { "[zeek_cols][service]" => "dnp3" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "dnp3_control") {
+ #############################################################################################################################
+ # dnp3_control.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_dnp3_control"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dnp3_control"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dnp3_control"
+ init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]"
+ code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dnp3_control"
+ add_field => { "[zeek_cols][service]" => "dnp3" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "dnp3_objects") {
+ #############################################################################################################################
+ # dnp3_objects.log
+ # https://github.com/cisagov/ICSNPP
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_dnp3_objects"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dnp3_objects"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dnp3_objects"
+ init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]"
+ code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dnp3_objects"
+ add_field => { "[zeek_cols][service]" => "dnp3" }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1019_zeek_dns.conf b/logstash/pipelines/zeek/1019_zeek_dns.conf
new file mode 100644
index 000000000..7971b0e31
--- /dev/null
+++ b/logstash/pipelines/zeek/1019_zeek_dns.conf
@@ -0,0 +1,47 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "dns") {
+ #############################################################################################################################
+ # dns.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_dns"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_dns"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_dns"
+ init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]"
+ code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_dns_commas"
+ split => { "[zeek_cols][TTLs]" => ","
+ "[zeek_cols][answers]" => "," } }
+ }
+
+ # remove C_ prefix from qclass_name
+ mutate { id => "mutate_gsub_field_zeek_dns_qclass_name"
+ gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] }
+
+ mutate {
+ id => "mutate_add_fields_zeek_dns"
+ add_field => { "[zeek_cols][service]" => "dns" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1020_zeek_ecat.conf b/logstash/pipelines/zeek/1020_zeek_ecat.conf
new file mode 100644
index 000000000..b3272fc21
--- /dev/null
+++ b/logstash/pipelines/zeek/1020_zeek_ecat.conf
@@ -0,0 +1,346 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ecat_registers") {
+ #############################################################################################################################
+ # ecat_registers.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_registers_fields"
+ rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" }
+ rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" }
+ rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" }
+ rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" }
+ rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" }
+ rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_registers"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_registers"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_registers"
+ init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_registers"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_log_address") {
+ #############################################################################################################################
+ # ecat_log_address.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_log_address_fields"
+ rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" }
+ rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" }
+ rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" }
+ rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" }
+ rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_log_address"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_log_address"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_log_address"
+ init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_log_address"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_dev_info") {
+ #############################################################################################################################
+ # ecat_dev_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_dev_info_fields"
+ rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_dev_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_dev_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_dev_info"
+ init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_dev_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_aoe_info") {
+ #############################################################################################################################
+ # ecat_aoe_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_aoe_info_fields"
+ rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" }
+ rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" }
+ rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" }
+ rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" }
+ rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" }
+ rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_aoe_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_aoe_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_aoe_info"
+ init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_aoe_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_coe_info") {
+ #############################################################################################################################
+ # ecat_coe_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_coe_info_fields"
+ rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_coe_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_coe_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_coe_info"
+ init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_coe_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_foe_info") {
+ #############################################################################################################################
+ # ecat_foe_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_foe_info_fields"
+ rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_foe_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_foe_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_foe_info"
+ init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_foe_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_soe_info") {
+ #############################################################################################################################
+ # ecat_soe_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_soe_info_fields"
+ rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" }
+ rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_soe_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_soe_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_soe_info"
+ init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_soe_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "ecat_arp_info") {
+ #############################################################################################################################
+ # ecat_arp_info.log
+ # https://github.com/cisagov/icsnpp-ethercat
+ #
+ # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and
+ # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ecat_arp_info_fields"
+ rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" }
+ rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" }
+ rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" }
+ rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" }
+ rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" }
+ rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ecat_arp_info"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ecat_arp_info"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ecat_arp_info"
+ init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]"
+ code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ecat_arp_info"
+ add_field => {
+ "[zeek_cols][service]" => "ethercat"
+ }
+ }
+
+ # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary?
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1021_zeek_enip.conf b/logstash/pipelines/zeek/1021_zeek_enip.conf
new file mode 100644
index 000000000..2a2f9e8f2
--- /dev/null
+++ b/logstash/pipelines/zeek/1021_zeek_enip.conf
@@ -0,0 +1,140 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "cip") {
+ #############################################################################################################################
+ # cip.log
+ # https://github.com/cisagov/ICSNPP
+ #
+ # todo: class_id, instance_id is a hex integer, should it be converted to an integer?
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_cip"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_cip"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_cip"
+ init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_cip"
+ add_field => { "[zeek_cols][service]" => "cip" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "cip_identity") {
+ #############################################################################################################################
+ # cip_identity.log
+ # https://github.com/cisagov/ICSNPP
+ #
+ # TODO: device_status and device_state are a hex int string, convert to int?
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_cip_identity"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_cip_identity"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_cip_identity"
+ init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]"
+ code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_cip_identity"
+ add_field => { "[zeek_cols][service]" => "cip" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "cip_io") {
+ #############################################################################################################################
+ # cip_io.log
+ # https://github.com/cisagov/ICSNPP
+ #
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_cip_io"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_cip_io"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_cip_io"
+ init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]"
+ code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_cip_io"
+ add_field => { "[zeek_cols][service]" => "cip" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "enip") {
+ #############################################################################################################################
+ # enip.log
+ # https://github.com/cisagov/ICSNPP
+ #
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_enip"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_enip"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_enip"
+ init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]"
+ code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_enip"
+ add_field => { "[zeek_cols][service]" => "enip" }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1022_zeek_files.conf b/logstash/pipelines/zeek/1022_zeek_files.conf
new file mode 100644
index 000000000..105492ee9
--- /dev/null
+++ b/logstash/pipelines/zeek/1022_zeek_files.conf
@@ -0,0 +1,72 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "files") {
+ #############################################################################################################################
+ # files.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_v51_files_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_files"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_files"
+ init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]"
+ code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') {
+ mutate { id => "mutate_split_zeek_files_conn_uids"
+ split => { "[zeek_cols][conn_uids]" => "," } }
+ }
+ if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') {
+ mutate { id => "mutate_split_zeek_files_tx_hosts"
+ split => { "[zeek_cols][tx_hosts]" => "," } }
+ }
+ if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') {
+ mutate { id => "mutate_split_zeek_files_rx_hosts"
+ split => { "[zeek_cols][rx_hosts]" => "," } }
+ }
+ mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers"
+ split => { "[zeek_cols][parent_fuid]" => ","
+ "[zeek_cols][analyzers]" => "," } }
+ }
+
+ if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) {
+ mutate {
+ id => "mutate_add_field_zeek_files_conn_uids_to_uid"
+ add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}"
+ "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" }
+ }
+ } else if (![zeek_cols][uid]) {
+ mutate {
+ id => "mutate_add_fields_zeek_files_fuid_to_uid"
+ add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" }
+ }
+ }
+
+ if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) {
+ mutate { id => "mutate_add_field_zeek_tx_hosts"
+ add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } }
+ }
+
+ if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) {
+ mutate { id => "mutate_add_field_zeek_rx_hosts"
+ add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1023_zeek_ftp.conf b/logstash/pipelines/zeek/1023_zeek_ftp.conf
new file mode 100644
index 000000000..30473a39f
--- /dev/null
+++ b/logstash/pipelines/zeek/1023_zeek_ftp.conf
@@ -0,0 +1,42 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "ftp") {
+ #############################################################################################################################
+ # ftp.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ftp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ftp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ftp"
+ init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]"
+ code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ftp"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "ftp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1024_zeek_genisys.conf b/logstash/pipelines/zeek/1024_zeek_genisys.conf
new file mode 100644
index 000000000..fb50b5d93
--- /dev/null
+++ b/logstash/pipelines/zeek/1024_zeek_genisys.conf
@@ -0,0 +1,49 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "genisys") {
+ #############################################################################################################################
+ # genisys.log
+ # https://github.com/cisagov/icsnpp-genisys
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_genisys_fields"
+ rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_genisys"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_genisys"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_genisys"
+ init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]"
+ code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_genisys"
+ add_field => {
+ "[zeek_cols][service]" => "genisys"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf
new file mode 100644
index 000000000..b7e73d456
--- /dev/null
+++ b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf
@@ -0,0 +1,46 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ge_srtp") {
+ #############################################################################################################################
+ # ge_srtp_general.log
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ge_srtp_log"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ge_srtp_log"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ge_srtp_log"
+ init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]"
+ code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_remove_field_ge_srtp_proto"
+ remove_field => [ "[zeek_cols][proto]" ] }
+ mutate {
+ id => "mutate_add_fields_zeek_ge_srtp_log"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "ge_srtp"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1026_zeek_gquic.conf b/logstash/pipelines/zeek/1026_zeek_gquic.conf
new file mode 100644
index 000000000..70a697dff
--- /dev/null
+++ b/logstash/pipelines/zeek/1026_zeek_gquic.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "gquic") {
+ #############################################################################################################################
+ # gquic.log
+ # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_gquic"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_gquic"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_gquic"
+ init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]"
+ code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_gquic"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "quic"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf
new file mode 100644
index 000000000..fbe84e04f
--- /dev/null
+++ b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf
@@ -0,0 +1,187 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "hart_ip_common_commands") {
+ #############################################################################################################################
+ # hart_ip_common_commands.log
+ # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_hart_ip_common_commands"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_hart_ip_common_commands"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_hart_ip_common_commands"
+ init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]"
+ code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_hart_ip_common_commands"
+ add_field => {
+ "[zeek_cols][service]" => "hart_ip"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ # These fields are basically just placeholders we don't want to store the raw data for.
+ mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_useless"
+ remove_field => [ "[zeek][hart_ip][token_passing_pdu_contents_data_data]",
+ "[zeek][hart_ip][message_packet_bytes]",
+ "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] }
+
+
+ } else if ([log_source] == "hart_ip_direct_pdu_command") {
+ #############################################################################################################################
+ # hart_ip_direct_pdu_command.log
+ # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_hart_ip_direct_pdu_command"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_hart_ip_direct_pdu_command"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_hart_ip_direct_pdu_command"
+ init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]"
+ code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command"
+ add_field => {
+ "[zeek_cols][service]" => "hart_ip"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "hart_ip") {
+ #############################################################################################################################
+ # hart_ip.log
+ # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_hart_ip"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_hart_ip"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_hart_ip"
+ init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]"
+ code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_hart_ip"
+ add_field => {
+ "[zeek_cols][service]" => "hart_ip"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "hart_ip_session_record") {
+ #############################################################################################################################
+ # hart_ip_session_record.log
+ # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_hart_ip_session_record"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_hart_ip_session_record"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_hart_ip_session_record"
+ init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]"
+ code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_hart_ip_session_record"
+ add_field => {
+ "[zeek_cols][service]" => "hart_ip"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "hart_ip_universal_commands") {
+ #############################################################################################################################
+ # hart_ip_universal_commands.log
+ # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_hart_ip_universal_commands"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_hart_ip_universal_commands"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_hart_ip_universal_commands"
+ init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]"
+ code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_hart_ip_universal_commands"
+ add_field => {
+ "[zeek_cols][service]" => "hart_ip"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1028_zeek_http.conf b/logstash/pipelines/zeek/1028_zeek_http.conf
new file mode 100644
index 000000000..0baf87789
--- /dev/null
+++ b/logstash/pipelines/zeek/1028_zeek_http.conf
@@ -0,0 +1,59 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "http") {
+ #############################################################################################################################
+ # http.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_http_fields"
+ rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_http_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_http"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_http"
+ init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]"
+ code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_http_commas"
+ split => { "[zeek_cols][client_header_names]" => ","
+ "[zeek_cols][orig_filenames]" => ","
+ "[zeek_cols][orig_fuids]" => ","
+ "[zeek_cols][orig_mime_types]" => ","
+ "[zeek_cols][proxied]" => ","
+ "[zeek_cols][resp_filenames]" => ","
+ "[zeek_cols][resp_fuids]" => ","
+ "[zeek_cols][resp_mime_types]" => ","
+ "[zeek_cols][server_header_names]" => ","
+ "[zeek_cols][tags]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_http"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "http"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1029_zeek_intel.conf b/logstash/pipelines/zeek/1029_zeek_intel.conf
new file mode 100644
index 000000000..d284f10a4
--- /dev/null
+++ b/logstash/pipelines/zeek/1029_zeek_intel.conf
@@ -0,0 +1,56 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "intel") {
+ #############################################################################################################################
+ # intel.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_intel_fields"
+ rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" }
+ rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" }
+ rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" }
+ rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" }
+ rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" }
+ rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" }
+ rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_intel"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_intel"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_intel"
+ init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]"
+ code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_intel_commas"
+ split => { "[zeek_cols][sources]" => ","
+ "[zeek_cols][matched]" => "," } }
+ }
+
+ # For some reason, even in JSON, I have cif_tags strings like:
+ # Network activity,osint:source-type=\"block-or-filter-list\"
+ # so whatever reason it's not already an array. Split it here.
+ mutate { id => "mutate_split_zeek_intel_cif_tags"
+ split => { "[zeek_cols][cif_tags]" => "," } }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1030_zeek_ipsec.conf b/logstash/pipelines/zeek/1030_zeek_ipsec.conf
new file mode 100644
index 000000000..34d5a3a4c
--- /dev/null
+++ b/logstash/pipelines/zeek/1030_zeek_ipsec.conf
@@ -0,0 +1,50 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ipsec") {
+ #############################################################################################################################
+ # ipsec.log
+ # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ipsec"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ipsec"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ipsec"
+ init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]"
+ code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_ipsec_commas"
+ split => { "[zeek_cols][vendor_ids]" => ","
+ "[zeek_cols][notify_messages]" => ","
+ "[zeek_cols][transforms]" => ","
+ "[zeek_cols][ke_dh_groups]" => ","
+ "[zeek_cols][proposals]" => ","
+ "[zeek_cols][certificates]" => ","
+ "[zeek_cols][transform_attributes]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ipsec"
+ add_field => {
+ "[zeek_cols][service]" => "ipsec"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1031_zeek_irc.conf b/logstash/pipelines/zeek/1031_zeek_irc.conf
new file mode 100644
index 000000000..b674565e9
--- /dev/null
+++ b/logstash/pipelines/zeek/1031_zeek_irc.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "irc") {
+ #############################################################################################################################
+ # irc.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_irc"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_irc"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_irc"
+ init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]"
+ code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_irc"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "irc"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1032_zeek_kerberos.conf b/logstash/pipelines/zeek/1032_zeek_kerberos.conf
new file mode 100644
index 000000000..d79335c5e
--- /dev/null
+++ b/logstash/pipelines/zeek/1032_zeek_kerberos.conf
@@ -0,0 +1,50 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "kerberos") {
+ #############################################################################################################################
+ # kerberos.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_kerberos_fields"
+ rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" }
+ rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_kerberos"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_kerberos"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_kerberos"
+ init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]"
+ code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_kerberos_commas"
+ split => { "[zeek_cols][client_cert_fuid]" => ","
+ "[zeek_cols][server_cert_fuid]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_krb5"
+ add_field => { "[zeek_cols][service]" => "krb" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1033_zeek_known.conf b/logstash/pipelines/zeek/1033_zeek_known.conf
new file mode 100644
index 000000000..0b701453a
--- /dev/null
+++ b/logstash/pipelines/zeek/1033_zeek_known.conf
@@ -0,0 +1,202 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "known_certs") {
+ #############################################################################################################################
+ # known_certs.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_known_certs_fields"
+ rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_known_certs"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_known_certs"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_known_certs"
+ init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]"
+ code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_known_certs"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "tls"
+ }
+ }
+
+ } else if ([log_source] == "known_hosts") {
+ #############################################################################################################################
+ # known_hosts.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_known_hosts_fields"
+ rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_known_hosts"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_known_hosts"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_known_hosts"
+ init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]"
+ code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ } else if ([log_source] == "known_modbus") {
+ #############################################################################################################################
+ # known_modbus.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_known_modbus_fields"
+ rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_known_modbus"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_known_modbus"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_known_modbus"
+ init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]"
+ code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_gsub_zeek_known_modbus_device_type"
+ gsub => [ "[zeek_cols][device_type]", "Known::", "" ] }
+
+ mutate { id => "mutate_gsub_zeek_known_modbus_master"
+ gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] }
+
+ mutate { id => "mutate_gsub_zeek_known_modbus_slave"
+ gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] }
+
+ mutate { id => "mutate_add_tag_ics_known_modbus_log"
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "known_routers") {
+ #############################################################################################################################
+ # known_routers.log
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_known_routers"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_known_routers"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_known_routers"
+ init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]"
+ code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ } else if ([log_source] == "known_services") {
+ #############################################################################################################################
+ # known_services.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_known_services_fields"
+ rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" }
+ rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" }
+ rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_known_services"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_known_services"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_known_services"
+ init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]"
+ code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_lowercase_zeek_known_services_service"
+ lowercase => [ "[zeek_cols][service]" ] }
+
+ # normalize service string(s)
+
+ # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
+ mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix"
+ gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
+
+ if ([zeek_cols][service] =~ /^spicy_/) {
+ # if it's coming from spicy, we don't care to have that in the service name
+ mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix"
+ gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
+
+ # some spicy services are named like blah_udp or blah_tcp,
+ # and we don't care about the _udp/_tcp suffix
+ mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix"
+ gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
+
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1034_zeek_ldap.conf b/logstash/pipelines/zeek/1034_zeek_ldap.conf
new file mode 100644
index 000000000..3ae2f8f17
--- /dev/null
+++ b/logstash/pipelines/zeek/1034_zeek_ldap.conf
@@ -0,0 +1,100 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ldap") {
+ #############################################################################################################################
+ # ldap.log
+ # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ldap_fields"
+ rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" }
+ rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" }
+ rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" }
+ rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" }
+ rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" }
+ rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" }
+ rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ldap"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ldap"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ldap"
+ init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
+ code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ldap"
+ add_field => {
+ "[zeek_cols][service]" => "ldap"
+ }
+
+ }
+
+ } else if ([log_source] == "ldap_search") {
+ #############################################################################################################################
+ # ldap_search.log
+ # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ldap_search_fields"
+ rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" }
+ rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" }
+ rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" }
+ rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" }
+ rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" }
+ rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" }
+ rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ldap_search"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ldap_search"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ldap_search"
+ init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
+ code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ldap_search"
+ add_field => {
+ "[zeek_cols][service]" => "ldap"
+ }
+
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1035_zeek_login.conf b/logstash/pipelines/zeek/1035_zeek_login.conf
new file mode 100644
index 000000000..2460ffa56
--- /dev/null
+++ b/logstash/pipelines/zeek/1035_zeek_login.conf
@@ -0,0 +1,35 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "login") {
+ #############################################################################################################################
+ # login.log
+ # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_login"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_login"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_login"
+ init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]"
+ code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1036_zeek_modbus.conf b/logstash/pipelines/zeek/1036_zeek_modbus.conf
new file mode 100644
index 000000000..4ff4723cb
--- /dev/null
+++ b/logstash/pipelines/zeek/1036_zeek_modbus.conf
@@ -0,0 +1,210 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "modbus") {
+ #############################################################################################################################
+ # modbus.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_modbus"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_modbus"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_modbus"
+ init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]"
+ code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_modbus"
+ add_field => { "[zeek_cols][service]" => "modbus" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "modbus_detailed") {
+ #############################################################################################################################
+ # modbus_detailed.log
+ # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_modbus_detailed_fields"
+ rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
+ rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
+ rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_modbus_detailed"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_modbus_detailed"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_modbus_detailed"
+ init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
+ code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_modbus_detailed_values"
+ split => { "[zeek_cols][values]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_modbus_detailed"
+ add_field => {
+ "[zeek_cols][service]" => "modbus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "modbus_mask_write_register") {
+ #############################################################################################################################
+ # modbus_mask_write_register.log
+ # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_modbus_mask_write_register_fields"
+ rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
+ rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
+ rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_modbus_mask_write_register"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_modbus_mask_write_register"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_modbus_mask_write_register"
+ init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
+ code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_modbus_mask_write_register"
+ add_field => {
+ "[zeek_cols][service]" => "modbus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "modbus_read_device_identification") {
+ #############################################################################################################################
+ # modbus_read_device_identification.log
+ # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_modbus_read_device_identification_fields"
+ rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
+ rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
+ rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_modbus_read_device_identification"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_modbus_read_device_identification"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_modbus_read_device_identification"
+ init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]"
+ code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_modbus_read_device_identification"
+ add_field => {
+ "[zeek_cols][service]" => "modbus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "modbus_read_write_multiple_registers") {
+ #############################################################################################################################
+ # modbus_read_write_multiple_registers.log
+ # main.zeek (https://github.com/cisagov/icsnpp-modbus)
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields"
+ rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
+ rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
+ rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_modbus_read_write_multiple_registers"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_modbus_read_write_multiple_registers"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_modbus_read_write_multiple_registers"
+ init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
+ code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas"
+ split => { "[zeek_cols][read_registers]" => ","
+ "[zeek_cols][write_registers]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers"
+ add_field => {
+ "[zeek_cols][service]" => "modbus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1037_zeek_mqtt.conf b/logstash/pipelines/zeek/1037_zeek_mqtt.conf
new file mode 100644
index 000000000..8c3730f44
--- /dev/null
+++ b/logstash/pipelines/zeek/1037_zeek_mqtt.conf
@@ -0,0 +1,115 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "mqtt_connect") {
+ #############################################################################################################################
+ # mqtt_connect.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_mqtt_connect"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_mqtt_connect"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_mqtt_connect"
+ init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]"
+ code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_mqtt_connect"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "mqtt"
+ }
+ }
+
+ } else if ([log_source] == "mqtt_publish") {
+ #############################################################################################################################
+ # mqtt_publish.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_mqtt_publish"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_mqtt_publish"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_mqtt_publish"
+ init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]"
+ code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_mqtt_publish"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "mqtt"
+ }
+ }
+
+ } else if ([log_source] == "mqtt_subscribe") {
+ #############################################################################################################################
+ # mqtt_subscribe.log
+ # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_mqtt_subscribe"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_mqtt_subscribe"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_mqtt_subscribe"
+ init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]"
+ code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_mqtt_subscribe_commas"
+ split => { "[zeek_cols][topics]" => ","
+ "[zeek_cols][qos_levels]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_mqtt_subscribe"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "mqtt"
+ }
+ }
+
+ mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action"
+ gsub => [ "[zeek_cols][action]", "MQTT::", "" ] }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1038_zeek_mysql.conf b/logstash/pipelines/zeek/1038_zeek_mysql.conf
new file mode 100644
index 000000000..892ac1bb2
--- /dev/null
+++ b/logstash/pipelines/zeek/1038_zeek_mysql.conf
@@ -0,0 +1,40 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "mysql") {
+ #############################################################################################################################
+ # mysql.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_mysql"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_mysql"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_mysql"
+ init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]"
+ code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_mysql"
+ add_field => { "[zeek_cols][service]" => "mysql" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1039_zeek_notice.conf b/logstash/pipelines/zeek/1039_zeek_notice.conf
new file mode 100644
index 000000000..ac044fef8
--- /dev/null
+++ b/logstash/pipelines/zeek/1039_zeek_notice.conf
@@ -0,0 +1,53 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "notice") {
+ #############################################################################################################################
+ # notice.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_notice_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_notice"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_notice"
+ init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_notice_actions"
+ split => { "[zeek_cols][actions]" => "," } }
+ }
+
+ if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or
+ ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) {
+ mutate { id => "mutate_replace_zeek_notice_orig_h"
+ replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } }
+ }
+ if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or
+ ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) {
+ mutate { id => "mutate_replace_zeek_notice_resp_h"
+ replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } }
+ }
+ if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or
+ ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) {
+ mutate { id => "mutate_replace_zeek_resp_p"
+ replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1040_zeek_ntlm.conf b/logstash/pipelines/zeek/1040_zeek_ntlm.conf
new file mode 100644
index 000000000..b0cafaee7
--- /dev/null
+++ b/logstash/pipelines/zeek/1040_zeek_ntlm.conf
@@ -0,0 +1,51 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ntlm") {
+ #############################################################################################################################
+ # ntlm.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ntlm_fields"
+ rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" }
+ rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" }
+ rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" }
+ rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" }
+ rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" }
+ rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ntlm_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ntlm"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ntlm"
+ init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]"
+ code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ntlm"
+ add_field => { "[zeek_cols][service]" => "ntlm" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1041_zeek_ntp.conf b/logstash/pipelines/zeek/1041_zeek_ntp.conf
new file mode 100644
index 000000000..fc4196b57
--- /dev/null
+++ b/logstash/pipelines/zeek/1041_zeek_ntp.conf
@@ -0,0 +1,42 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "ntp") {
+ #############################################################################################################################
+ # ntp.log
+ # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ntp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ntp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ntp"
+ init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]"
+ code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ntp"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "ntp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1042_zeek_ocsp.conf b/logstash/pipelines/zeek/1042_zeek_ocsp.conf
new file mode 100644
index 000000000..b6919838e
--- /dev/null
+++ b/logstash/pipelines/zeek/1042_zeek_ocsp.conf
@@ -0,0 +1,39 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ocsp") {
+ #############################################################################################################################
+ # ocsp.log
+ # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ocsp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ocsp"
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_ocsp"
+ init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]"
+ code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_ocsp"
+ add_field => { "[zeek_cols][service]" => "X.509" } }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf
new file mode 100644
index 000000000..b9431e3d2
--- /dev/null
+++ b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf
@@ -0,0 +1,1598 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] =~ /^opcua_binary/) {
+ if ([log_source] == "opcua_binary") {
+ #############################################################################################################################
+ # opcua_binary.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary"
+ init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_activate_session") {
+ #############################################################################################################################
+ # opcua_binary_activate_session.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session"
+ init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_activate_session"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") {
+ #############################################################################################################################
+ # opcua_binary_activate_session_client_software_cert.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session_client_software_cert"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert"
+ init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_activate_session_locale_id") {
+ #############################################################################################################################
+ # opcua_binary_activate_session_locale_id.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session_locale_id"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session_locale_id"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id"
+ init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_aggregate_filter") {
+ #############################################################################################################################
+ # opcua_binary_aggregate_filter.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_aggregate_filter"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_aggregate_filter"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_aggregate_filter"
+ init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_attribute_operand.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_attribute_operand"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand"
+ init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_attribute_operand_browse_paths.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
+ init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_browse") {
+ #############################################################################################################################
+ # opcua_binary_browse.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse"
+ init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_browse"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_browse_description") {
+ #############################################################################################################################
+ # opcua_binary_browse_description.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_description"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_description"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_description"
+ init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_browse_description"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_browse_response_references") {
+ #############################################################################################################################
+ # opcua_binary_browse_response_references.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_response_references"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_response_references"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_response_references"
+ init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_browse_response_references"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_browse_request_continuation_point") {
+ #############################################################################################################################
+ # opcua_binary_browse_request_continuation_point.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_request_continuation_point"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point"
+ init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_browse_result") {
+ #############################################################################################################################
+ # opcua_binary_browse_result.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_result"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_result"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_result"
+ init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_browse_result"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_close_session") {
+ #############################################################################################################################
+ # opcua_binary_close_session.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_close_session"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_close_session"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_close_session"
+ init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_close_session"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_where_clause") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_where_clause.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_where_clause"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_where_clause"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause"
+ init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_where_clause_elements.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements"
+ init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_monitored_items") {
+ #############################################################################################################################
+ # opcua_binary_create_monitored_items.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_monitored_items"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_monitored_items"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_monitored_items"
+ init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") {
+ #############################################################################################################################
+ # opcua_binary_create_monitored_items_create_item.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_monitored_items_create_item"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item"
+ init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_session") {
+ #############################################################################################################################
+ # opcua_binary_create_session.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session"
+ init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_session"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_session_discovery") {
+ #############################################################################################################################
+ # opcua_binary_create_session_discovery.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session_discovery"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session_discovery"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session_discovery"
+ init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_session_endpoints") {
+ #############################################################################################################################
+ # opcua_binary_create_session_endpoints.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session_endpoints"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session_endpoints"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session_endpoints"
+ init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_session_user_token") {
+ #############################################################################################################################
+ # opcua_binary_create_session_user_token.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session_user_token"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session_user_token"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session_user_token"
+ init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_create_subscription") {
+ #############################################################################################################################
+ # opcua_binary_create_subscription.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_subscription"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_subscription"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_subscription"
+ init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_create_subscription"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_data_change_filter") {
+ #############################################################################################################################
+ # opcua_binary_data_change_filter.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_data_change_filter"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_data_change_filter"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_data_change_filter"
+ init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_data_change_filter"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_diag_info_detail") {
+ #############################################################################################################################
+ # opcua_binary_diag_info_detail.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_diag_info_detail"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_diag_info_detail"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_diag_info_detail"
+ init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_element_operand") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_element_operand.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_element_operand"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_element_operand"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand"
+ init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter") {
+ #############################################################################################################################
+ # opcua_binary_event_filter.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter"
+ init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints"
+ init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints_description") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints_description.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_description"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_description"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_description"
+ init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints_discovery") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints_discovery.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_discovery"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery"
+ init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints_locale_id.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_locale_id"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id"
+ init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints_profile_uri.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri"
+ init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_get_endpoints_user_token") {
+ #############################################################################################################################
+ # opcua_binary_get_endpoints_user_token.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_user_token"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token"
+ init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_literal_operand") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_literal_operand.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_literal_operand"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand"
+ init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_opensecure_channel") {
+ #############################################################################################################################
+ # opcua_binary_opensecure_channel.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_opensecure_channel"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_opensecure_channel"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_opensecure_channel"
+ init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_read") {
+ #############################################################################################################################
+ # opcua_binary_read.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_read"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_read"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_read"
+ init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_read"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_read_nodes_to_read") {
+ #############################################################################################################################
+ # opcua_binary_read_nodes_to_read.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_read_nodes_to_read"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_read_nodes_to_read"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read"
+ init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_read_results") {
+ #############################################################################################################################
+ # opcua_binary_read_results.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_read_results"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_read_results"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_read_results"
+ init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_read_results"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_select_clause") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_select_clause.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_select_clause"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_select_clause"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause"
+ init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_simple_attribute_operand.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand"
+ init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") {
+ #############################################################################################################################
+ # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
+ init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_status_code_detail") {
+ #############################################################################################################################
+ # opcua_binary_status_code_detail.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_status_code_detail"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_status_code_detail"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_status_code_detail"
+ init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_status_code_detail"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_variant_array_dims") {
+ #############################################################################################################################
+ # opcua_binary_variant_array_dims.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_variant_array_dims"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_variant_array_dims"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_variant_array_dims"
+ init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_variant_data") {
+ #############################################################################################################################
+ # opcua_binary_variant_data.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_variant_data"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_variant_data"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_variant_data"
+ init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_variant_data"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_variant_data_value") {
+ #############################################################################################################################
+ # opcua_binary_variant_data_value.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_variant_data_value"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_variant_data_value"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_variant_data_value"
+ init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_variant_data_value"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_variant_extension_object") {
+ #############################################################################################################################
+ # opcua_binary_variant_extension_object.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_variant_extension_object"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_variant_extension_object"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_variant_extension_object"
+ init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "opcua_binary_variant_metadata") {
+ #############################################################################################################################
+ # opcua_binary_variant_metadata.log
+ # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_opcua_binary_variant_metadata"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_variant_metadata"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_variant_metadata"
+ init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_opcua_binary_variant_metadata"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else {
+ # some other unknown zeek opcua- log file. should start with ts at least!
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ csv {
+ id => "csv_zeek_unknown_opcua"
+ columns => ["ts"]
+ separator => " "
+ # there's no way to *disable* the csv quote char, so set it to something we'll never see
+ quote_char => "�"
+
+ target => "[zeek_cols]"
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_unknown_opcua"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary"
+ }
+ add_tag => [ "_unknown_log_type" ]
+ }
+
+ } # if / else if for opcua log types
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1044_zeek_ospf.conf b/logstash/pipelines/zeek/1044_zeek_ospf.conf
new file mode 100644
index 000000000..462bb4979
--- /dev/null
+++ b/logstash/pipelines/zeek/1044_zeek_ospf.conf
@@ -0,0 +1,59 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ospf") {
+ #############################################################################################################################
+ # ospf.log
+ # https://github.com/corelight/zeek-spicy-ospf
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ospf_fields"
+ rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ospf"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ospf"
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_ospf"
+ init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]"
+ code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_ospf_commas"
+ split => { "[zeek_cols][neighbors]" => ","
+ "[zeek_cols][routers]" => ","
+ "[zeek_cols][metrics]" => ","
+ "[zeek_cols][fwd_addrs]" => ","
+ "[zeek_cols][route_tags]" => ","
+ "[zeek_cols][link_prefixes]" => ","
+ "[zeek_cols][intra_prefixes]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ospf"
+ add_field => {
+ "[zeek_cols][proto]" => "ospf"
+ "[zeek_cols][service]" => "ospf"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1045_zeek_pe.conf b/logstash/pipelines/zeek/1045_zeek_pe.conf
new file mode 100644
index 000000000..992c6829d
--- /dev/null
+++ b/logstash/pipelines/zeek/1045_zeek_pe.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "pe") {
+ #############################################################################################################################
+ # pe.log
+ # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_pe_fields"
+ rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_pe"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_pe"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_pe"
+ init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]"
+ code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_pe_section_names"
+ split => { "[zeek_cols][section_names]" => "," } }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1046_zeek_profinet.conf b/logstash/pipelines/zeek/1046_zeek_profinet.conf
new file mode 100644
index 000000000..f823d9a6e
--- /dev/null
+++ b/logstash/pipelines/zeek/1046_zeek_profinet.conf
@@ -0,0 +1,112 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "profinet") {
+ #############################################################################################################################
+ # profinet.log
+ # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_profinet"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_profinet"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_profinet"
+ init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]"
+ code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_profinet"
+ add_field => { "[zeek_cols][service]" => "profinet" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "profinet_dce_rpc") {
+ #############################################################################################################################
+ # profinet_dce_rpc.log
+ # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_profinet_dce_rpc"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_profinet_dce_rpc"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_profinet_dce_rpc"
+ init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]"
+ code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_profinet_dce_rpc"
+ add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "profinet_io_cm") {
+ #############################################################################################################################
+ # profinet_io_cm.log
+ # https://github.com/cisagov/icsnpp-profinet-io-cm
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_profinet_io_cm_fields"
+ rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" }
+ rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_profinet_io_cm"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}"
+ }
+ }
+
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_profinet_io_cm"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_profinet_io_cm"
+ init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]"
+ code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_profinet_io_cm_commas"
+ split => { "[zeek_cols][sel_ack]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_ics_tag_zeek_profinet_io_cm"
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1047_zeek_radius.conf b/logstash/pipelines/zeek/1047_zeek_radius.conf
new file mode 100644
index 000000000..8164bdcd2
--- /dev/null
+++ b/logstash/pipelines/zeek/1047_zeek_radius.conf
@@ -0,0 +1,46 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "radius") {
+ #############################################################################################################################
+ # radius.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_radius_fields"
+ rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_radius"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_radius"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_radius"
+ init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]"
+ code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_radius"
+ add_field => { "[zeek_cols][service]" => "radius" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1048_zeek_rdp.conf b/logstash/pipelines/zeek/1048_zeek_rdp.conf
new file mode 100644
index 000000000..c773b9962
--- /dev/null
+++ b/logstash/pipelines/zeek/1048_zeek_rdp.conf
@@ -0,0 +1,46 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "rdp") {
+ #############################################################################################################################
+ # rdp.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_rdp_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_rdp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_rdp"
+ init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]"
+ code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_rdp_client_channels"
+ split => { "[zeek_cols][client_channels]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_rdp"
+ add_field => { "[zeek_cols][service]" => "rdp" }
+ }
+
+ # remove RDP prefix from client_build (version)
+ mutate { id => "mutate_gsub_field_zeek_rdp_client_build"
+ gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1049_zeek_rfb.conf b/logstash/pipelines/zeek/1049_zeek_rfb.conf
new file mode 100644
index 000000000..e65d628fc
--- /dev/null
+++ b/logstash/pipelines/zeek/1049_zeek_rfb.conf
@@ -0,0 +1,39 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "rfb") {
+ #############################################################################################################################
+ # rfb.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_rfb"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_rfb"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_rfb"
+ init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]"
+ code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_rfb"
+ add_field => { "[zeek_cols][service]" => "rfb" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1050_zeek_s7comm.conf b/logstash/pipelines/zeek/1050_zeek_s7comm.conf
new file mode 100644
index 000000000..4b808b194
--- /dev/null
+++ b/logstash/pipelines/zeek/1050_zeek_s7comm.conf
@@ -0,0 +1,186 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "cotp") {
+ #############################################################################################################################
+ # cotp.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_cotp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_cotp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_cotp"
+ init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_cotp"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "cotp"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "s7comm") {
+ #############################################################################################################################
+ # s7comm.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_s7comm"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm"
+ init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]"
+ code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "s7comm_plus") {
+ #############################################################################################################################
+ # s7comm_plus.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_s7comm_plus"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm_plus"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm_plus"
+ init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm_plus"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm_plus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "s7comm_read_szl") {
+ #############################################################################################################################
+ # s7comm_read_szl.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_s7comm_read_szl"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm_read_szl"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm_read_szl"
+ init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]"
+ code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm_read_szl"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "s7comm_upload_download") {
+ #############################################################################################################################
+ # s7comm_upload_download.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_s7comm_upload_download_fields"
+ rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_s7comm_upload_download"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm_upload_download"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm_upload_download"
+ init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]"
+ code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm_upload_download"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1051_zeek_signatures.conf b/logstash/pipelines/zeek/1051_zeek_signatures.conf
new file mode 100644
index 000000000..4f6a20441
--- /dev/null
+++ b/logstash/pipelines/zeek/1051_zeek_signatures.conf
@@ -0,0 +1,40 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "signatures") {
+ #############################################################################################################################
+ # signatures.log
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_signatures"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_signatures"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_signatures"
+ init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]"
+ code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ if ("_carved" in [tags]) {
+ # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it:
+ # - _carved signature logs' sub_message contains fuid(s) comma-separated
+ mutate { id => "mutate_split_zeek_signatures_sub_message"
+ split => { "[zeek_cols][sub_message]" => "," } }
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1052_zeek_sip.conf b/logstash/pipelines/zeek/1052_zeek_sip.conf
new file mode 100644
index 000000000..fc49f7c33
--- /dev/null
+++ b/logstash/pipelines/zeek/1052_zeek_sip.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "sip") {
+ #############################################################################################################################
+ # sip.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_sip"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_sip"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_sip"
+ init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]"
+ code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_sip_commas"
+ split => { "[zeek_cols][request_path]" => ","
+ "[zeek_cols][response_path]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_sip"
+ add_field => { "[zeek_cols][service]" => "sip" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1053_zeek_smb.conf b/logstash/pipelines/zeek/1053_zeek_smb.conf
new file mode 100644
index 000000000..9e42d4429
--- /dev/null
+++ b/logstash/pipelines/zeek/1053_zeek_smb.conf
@@ -0,0 +1,131 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "smb_cmd") {
+ #############################################################################################################################
+ # smb_cmd.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo
+ #
+ # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be
+ # merged up as its own top-level entity so I don't have to duplicate the parsing effort below
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields"
+ rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" }
+ rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" }
+ rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" }
+ rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_smb_cmd"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_smb_cmd"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_smb_cmd"
+ init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]"
+ code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_smb_cmd"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "smb"
+ }
+ }
+
+ # remove SMB prefix from version
+ mutate { id => "mutate_gsub_field_zeek_smb_cmd_version"
+ gsub => [ "[zeek_cols][version]", "^SMB", "" ] }
+
+ mutate { id => "mutate_gsub_zeek_smb_cmd_command"
+ gsub => [ "[zeek_cols][command]", "^SMB::", "" ] }
+
+ } else if ([log_source] == "smb_files") {
+ #############################################################################################################################
+ # smb_files.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_smb_files_with_all_fields"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_smb_files"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_smb_files"
+ init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]"
+ code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_smb_files"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "smb"
+ }
+ }
+
+ mutate { id => "mutate_gsub_zeek_smb_files_action"
+ gsub => [ "[zeek_cols][action]", "^SMB::", "" ] }
+
+ } else if ([log_source] == "smb_mapping") {
+ #############################################################################################################################
+ # smb_mapping.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_smb_mapping"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_smb_mapping"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_smb_mapping"
+ init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]"
+ code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_smb_mapping"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "smb"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1054_zeek_smtp.conf b/logstash/pipelines/zeek/1054_zeek_smtp.conf
new file mode 100644
index 000000000..f4587c5d5
--- /dev/null
+++ b/logstash/pipelines/zeek/1054_zeek_smtp.conf
@@ -0,0 +1,48 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "smtp") {
+ #############################################################################################################################
+ # smtp.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_smtp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_smtp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_smtp"
+ init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]"
+ code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_smtp_commas"
+ split => { "[zeek_cols][rcptto]" => ","
+ "[zeek_cols][to]" => ","
+ "[zeek_cols][cc]" => ","
+ "[zeek_cols][path]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_smtp"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "smtp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1055_zeek_snmp.conf b/logstash/pipelines/zeek/1055_zeek_snmp.conf
new file mode 100644
index 000000000..2991ed095
--- /dev/null
+++ b/logstash/pipelines/zeek/1055_zeek_snmp.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "snmp") {
+ #############################################################################################################################
+ # snmp.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_snmp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_snmp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_snmp"
+ init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]"
+ code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_snmp"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "snmp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1056_zeek_socks.conf b/logstash/pipelines/zeek/1056_zeek_socks.conf
new file mode 100644
index 000000000..aeec39cb0
--- /dev/null
+++ b/logstash/pipelines/zeek/1056_zeek_socks.conf
@@ -0,0 +1,40 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "socks") {
+ #############################################################################################################################
+ # socks.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_socks"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_socks"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_socks"
+ init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]"
+ code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_socks"
+ add_field => { "[zeek_cols][service]" => "socks" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1057_zeek_software.conf b/logstash/pipelines/zeek/1057_zeek_software.conf
new file mode 100644
index 000000000..e6cfe36d5
--- /dev/null
+++ b/logstash/pipelines/zeek/1057_zeek_software.conf
@@ -0,0 +1,47 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "software") {
+ #############################################################################################################################
+ # software.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_software_fields"
+ rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
+ rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" }
+ rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" }
+ rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" }
+ rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" }
+ rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" }
+ rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_software"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_software"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_software"
+ init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]"
+ code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1058_zeek_ssh.conf b/logstash/pipelines/zeek/1058_zeek_ssh.conf
new file mode 100644
index 000000000..bf1177a34
--- /dev/null
+++ b/logstash/pipelines/zeek/1058_zeek_ssh.conf
@@ -0,0 +1,87 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ja4ssh") {
+ #############################################################################################################################
+ # ja4ssh.log
+ # https://github.com/FoxIO-LLC/ja4
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_ja4ssh"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ja4ssh"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ja4ssh"
+ init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]"
+ code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ja4ssh"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "ssh"
+ }
+ }
+
+ } else if ([log_source] == "ssh") {
+ #############################################################################################################################
+ # ssh.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ssh_fields"
+ rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ssh_with_all_fields_with_hassh"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ssh"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ssh"
+ init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]"
+ code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_ssh_commas"
+ split => { "[zeek_cols][hasshAlgorithms]" => ","
+ "[zeek_cols][hasshServerAlgorithms]" => ","
+ "[zeek_cols][cshka]" => ","
+ "[zeek_cols][sshka]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ssh"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "ssh"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1059_zeek_ssl.conf b/logstash/pipelines/zeek/1059_zeek_ssl.conf
new file mode 100644
index 000000000..675bb103b
--- /dev/null
+++ b/logstash/pipelines/zeek/1059_zeek_ssl.conf
@@ -0,0 +1,54 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "ssl") {
+ #############################################################################################################################
+ # ssl.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_ssl_fields"
+ rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_ssl_v1_with_ja4"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_ssl"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_ssl"
+ init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]"
+ code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_ssl_commas"
+ split => { "[zeek_cols][cert_chain_fuids]" => ","
+ "[zeek_cols][client_cert_chain_fuids]" => ","
+ "[zeek_cols][cert_chain_fps]" => ","
+ "[zeek_cols][client_cert_chain_fps]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_ssl"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "tls"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1060_zeek_stun.conf b/logstash/pipelines/zeek/1060_zeek_stun.conf
new file mode 100644
index 000000000..fdb291513
--- /dev/null
+++ b/logstash/pipelines/zeek/1060_zeek_stun.conf
@@ -0,0 +1,96 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "stun") {
+ #############################################################################################################################
+ # stun.log
+ # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_stun_fields"
+ rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" }
+ rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_stun"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_stun"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_stun"
+ init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]"
+ code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_field_zeek_stun_commas"
+ split => { "[zeek_cols][attr_type]" => ","
+ "[zeek_cols][attr_val]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_stun"
+ add_field => {
+ "[zeek_cols][service]" => "stun"
+ }
+ }
+
+ } else if ([log_source] == "stun_nat") {
+ #############################################################################################################################
+ # stun.log
+ # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_stun_nat_fields"
+ rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" }
+ rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" }
+ rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_stun_nat"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_stun_nat"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_stun_nat"
+ init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]"
+ code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_field_zeek_stun_nat_commas"
+ split => { "[zeek_cols][wan_addrs]" => ","
+ "[zeek_cols][wan_ports]" => ","
+ "[zeek_cols][lan_addrs]" => "," } }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_stun_nat"
+ add_field => {
+ "[zeek_cols][service]" => "stun"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf
new file mode 100644
index 000000000..ad4795ec7
--- /dev/null
+++ b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf
@@ -0,0 +1,242 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "synchrophasor") {
+ #############################################################################################################################
+ # synchrophasor.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor"
+ init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+
+ } else if ([log_source] == "synchrophasor_cmd") {
+ #############################################################################################################################
+ # synchrophasor_cmd.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_cmd"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_cmd"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_cmd"
+ init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_cmd"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "synchrophasor_cfg") {
+ #############################################################################################################################
+ # synchrophasor_cfg.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_cfg"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_cfg"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_cfg"
+ init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_cfg"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "synchrophasor_cfg_detail") {
+ #############################################################################################################################
+ # synchrophasor_cfg_detail.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_cfg_detail"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_cfg_detail"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_cfg_detail"
+ init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_cfg_detail"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "synchrophasor_data") {
+ #############################################################################################################################
+ # synchrophasor_data.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_data"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_data"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_data"
+ init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_data"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "synchrophasor_data_detail") {
+ #############################################################################################################################
+ # synchrophasor_data_detail.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_data_detail"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_data_detail"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_data_detail"
+ init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_data_detail"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "synchrophasor_hdr") {
+ #############################################################################################################################
+ # synchrophasor_hdr.log
+ # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_synchrophasor_hdr"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_synchrophasor_hdr"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_synchrophasor_hdr"
+ init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]"
+ code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_synchrophasor_hdr"
+ add_field => {
+ "[zeek_cols][service]" => "synchrophasor"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1062_zeek_syslog.conf b/logstash/pipelines/zeek/1062_zeek_syslog.conf
new file mode 100644
index 000000000..efb0ed69b
--- /dev/null
+++ b/logstash/pipelines/zeek/1062_zeek_syslog.conf
@@ -0,0 +1,40 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "syslog") {
+ #############################################################################################################################
+ # syslog.log
+ # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_syslog"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_syslog"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_syslog"
+ init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]"
+ code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_syslog"
+ add_field => { "[zeek_cols][service]" => "syslog" }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1063_zeek_tds.conf b/logstash/pipelines/zeek/1063_zeek_tds.conf
new file mode 100644
index 000000000..23a724d0c
--- /dev/null
+++ b/logstash/pipelines/zeek/1063_zeek_tds.conf
@@ -0,0 +1,115 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "tds") {
+ #############################################################################################################################
+ # tds.log
+ # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_tds"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_tds"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_tds"
+ init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]"
+ code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_tds"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "tds"
+ }
+ }
+
+ } else if ([log_source] == "tds_rpc") {
+ #############################################################################################################################
+ # tds_rpc.log
+ # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_tds_rpc_fields"
+ rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_tds_rpc"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_tds_rpc"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_tds_rpc"
+ init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]"
+ code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_tds_rpc"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "tds"
+ }
+ }
+
+ } else if ([log_source] == "tds_sql_batch") {
+ #############################################################################################################################
+ # tds_sql_batch.log
+ # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_tds_sql_batch"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_tds_sql_batch"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_tds_sql_batch"
+ init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]"
+ code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_tds_sql_batch"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "tds"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1064_zeek_tftp.conf b/logstash/pipelines/zeek/1064_zeek_tftp.conf
new file mode 100644
index 000000000..67cd6acef
--- /dev/null
+++ b/logstash/pipelines/zeek/1064_zeek_tftp.conf
@@ -0,0 +1,43 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "tftp") {
+ #############################################################################################################################
+ # tftp.log
+ # https://github.com/zeek/spicy-tftp
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_tftp"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_tftp"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_tftp"
+ init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]"
+ code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_tftp"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "tftp"
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1065_zeek_tunnel.conf b/logstash/pipelines/zeek/1065_zeek_tunnel.conf
new file mode 100644
index 000000000..6dfa8829f
--- /dev/null
+++ b/logstash/pipelines/zeek/1065_zeek_tunnel.conf
@@ -0,0 +1,48 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "tunnel") {
+ #############################################################################################################################
+ # tunnel.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_tunnel"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_tunnel"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_tunnel"
+ init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]"
+ code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_gsub_zeek_tunnel_action"
+ gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] }
+
+ mutate { id => "mutate_gsub_zeek_tunnel_type"
+ gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] }
+
+ mutate {
+ id => "mutate_add_fields_zeek_tunnel"
+ add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" }
+ }
+
+ mutate { id => "mutate_lowercase_zeek_tunnel_service"
+ lowercase => [ "[zeek_cols][service]" ] }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1066_zeek_weird.conf b/logstash/pipelines/zeek/1066_zeek_weird.conf
new file mode 100644
index 000000000..4c1da69e3
--- /dev/null
+++ b/logstash/pipelines/zeek/1066_zeek_weird.conf
@@ -0,0 +1,35 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "weird") {
+ #############################################################################################################################
+ # weird.log
+ # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_weird"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_weird"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_weird"
+ init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]"
+ code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1067_zeek_wireguard.conf b/logstash/pipelines/zeek/1067_zeek_wireguard.conf
new file mode 100644
index 000000000..4a69f88d7
--- /dev/null
+++ b/logstash/pipelines/zeek/1067_zeek_wireguard.conf
@@ -0,0 +1,45 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "wireguard") {
+ #############################################################################################################################
+ # wireguard.log
+ # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_wireguard"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_wireguard"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_wireguard"
+ init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]"
+ code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ mutate { id => "mutate_gsub_zeek_wireguard_packet_type"
+ gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] }
+
+ mutate {
+ id => "mutate_add_field_zeek_service_wireguard"
+ add_field => {
+ "[zeek_cols][proto]" => "udp"
+ "[zeek_cols][service]" => "wireguard"
+ }
+ }
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1068_zeek_x509.conf b/logstash/pipelines/zeek/1068_zeek_x509.conf
new file mode 100644
index 000000000..9705ebd83
--- /dev/null
+++ b/logstash/pipelines/zeek/1068_zeek_x509.conf
@@ -0,0 +1,63 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if ([log_source] == "x509") {
+ #############################################################################################################################
+ # x509.log
+ # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info
+
+ if ("_jsonparsesuccess" in [tags]) {
+ mutate {
+ id => "mutate_rename_zeek_json_x509_fields"
+ rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" }
+ rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" }
+ rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" }
+ rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" }
+ rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" }
+ rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" }
+ rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" }
+ rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" }
+ rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" }
+ rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" }
+ rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" }
+ rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" }
+ rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" }
+ rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" }
+ rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" }
+ rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" }
+ rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" }
+ rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" }
+ }
+
+ } else {
+ dissect {
+ id => "dissect_zeek_x509_v1"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_x509"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_x509"
+ init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]"
+ code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ mutate { id => "mutate_split_zeek_x509_san_ip"
+ split => { "[zeek_cols][san_ip]" => ","
+ "[zeek_cols][fingerprint]" => "," } }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_x509"
+ add_field => { "[zeek_cols][service]" => "X.509" } }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1069_zeek_websocket.conf b/logstash/pipelines/zeek/1069_zeek_websocket.conf
new file mode 100644
index 000000000..5d0bbc0b6
--- /dev/null
+++ b/logstash/pipelines/zeek/1069_zeek_websocket.conf
@@ -0,0 +1,64 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+
+ if ([log_source] == "websocket") {
+ #############################################################################################################################
+ # websocket.log
+ # https://docs.zeek.org/en/master/scripts/base/protocols/websocket/main.zeek.html#type-WebSocket::Info
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ dissect {
+ id => "dissect_zeek_websocket"
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][user_agent]} %{[zeek_cols][subprotocol]} %{[zeek_cols][client_protocols]} %{[zeek_cols][server_extensions]} %{[zeek_cols][client_extensions]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_websocket"
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_websocket"
+ init => "@zeek_websocket_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'host', 'uri', 'user_agent', 'subprotocol', 'client_protocols', 'server_extensions', 'client_extensions' ]"
+ code => "event.set('[zeek_cols]', @zeek_websocket_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+ }
+
+ # split some vector fields (on , and ;) a few fields and trim spaces
+ ruby {
+ id => "ruby_websocket_split_and_clean"
+ code => "
+ if (client_protocols = event.get('[zeek_cols][client_protocols]')) then
+ client_protocols = client_protocols.split(/[,;]/)
+ client_protocols.collect{ |e| e ? e.strip : e }
+ event.set('[zeek_cols][client_protocols]', client_protocols)
+ end
+ if (server_extensions = event.get('[zeek_cols][server_extensions]')) then
+ server_extensions = server_extensions.split(/[,;]/)
+ server_extensions.collect{ |e| e ? e.strip : e }
+ event.set('[zeek_cols][server_extensions]', server_extensions)
+ end
+ if (client_extensions = event.get('[zeek_cols][client_extensions]')) then
+ client_extensions = client_extensions.split(/[,;]/)
+ client_extensions.collect{ |e| e ? e.strip : e }
+ event.set('[zeek_cols][client_extensions]', client_extensions)
+ end
+ "
+ }
+
+ mutate {
+ id => "mutate_add_field_zeek_service_websocket"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "websocket"
+ }
+ }
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/1199_zeek_unknown.conf b/logstash/pipelines/zeek/1199_zeek_unknown.conf
new file mode 100644
index 000000000..ea72245c1
--- /dev/null
+++ b/logstash/pipelines/zeek/1199_zeek_unknown.conf
@@ -0,0 +1,27 @@
+########################
+# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
+#######################
+
+filter {
+
+ if (![zeek_cols]) {
+
+ if ("_jsonparsesuccess" not in [tags]) {
+ # some other unknown zeek log file. should start with ts at least!
+ csv {
+ id => "csv_zeek_unknown"
+ columns => ["ts"]
+ separator => " "
+ # there's no way to *disable* the csv quote char, so set it to something we'll never see
+ quote_char => "�"
+
+ target => "[zeek_cols]"
+ }
+ }
+
+ mutate { id => "mutate_add_tag_zeek_unknown"
+ add_tag => [ "_unknown_log_type" ] }
+
+ }
+
+} # end Filter
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
deleted file mode 100644
index 83daff13b..000000000
--- a/logstash/pipelines/zeek/11_zeek_parse.conf
+++ /dev/null
@@ -1,6411 +0,0 @@
-########################
-# zeek -> arkime session creation and enrichment
-#
-# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation
-#
-# see source.zeeklogs.js for the Arkime code that turns these into UI fields
-#
-# to profile, debug:
-# - get filters sorted by execution time (where in > 0)
-# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4
-# - get filters where in != out
-# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")'
-#
-# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
-#######################
-
-filter {
-
- # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below
- if ([message] =~ /^{.*}$/) { json {
- id => "json_zeek_message_parse"
- source => "[message]"
- target => "[zeek_cols]"
- add_tag => [ "_jsonparsesuccess" ]
- } }
-
-
- # in JSON, do some global renaming of common fields to make them match the names we'd
- # be assigning to them if we were reading TSV
- if ("_jsonparsesuccess" in [tags]) {
-
- # some of the ICSNPP parsers do an interesting thing to handle source and destination fields
- # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields)
- # so check for and handle those first
- ruby {
- id => "ruby_zeek_json_determine_source_destination_fields"
- code => "
- if ![event.get('[zeek_cols][source_h]').to_s,
- event.get('[zeek_cols][source_p]').to_s,
- event.get('[zeek_cols][destination_h]').to_s,
- event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then
- event.set('[@metadata][icsnpp_source_dest_fields]', 'true')
- end
- "
- }
- if ([@metadata][icsnpp_source_dest_fields]) {
- mutate {
- id => "mutate_rename_zeek_json_common_reversed_direction_fields"
- rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" }
- rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" }
- rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" }
- rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" }
- rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" }
- rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" }
- rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" }
- }
-
- } else {
- mutate {
- id => "mutate_rename_zeek_json_common_fields"
- rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" }
- rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" }
- rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" }
- }
- } # icsnpp_source_dest_fields or not
- } # _jsonparsesuccess in tags
-
- # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it
- # is not as flexible when it comes to missing or extra columns
- # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62)
- #
- # So, if the dissect filter fails, we're going to fall back to split-then-zip solution.
- # This should be a good tradeoff between performance (in the case where the Zeek logs
- # match what we think they should look like) and flexibility (when they don't).
- #
- # The one drawback is that if you make a change to the fields in dissect, make sure
- # you make the corresponding change in the ruby init code.
-
- if ([log_source] == "conn") {
- #############################################################################################################################
- # conn.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_conn_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_conn"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_conn"
- init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]"
- code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- # normalize service string(s)
-
- # For some reason, even in JSON, I have service strings like:
- # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",...
- # so whatever reason it's not already an array. Split it here.
- mutate { id => "mutate_split_zeek_conn_commas"
- split => { "[zeek_cols][service]" => "," } }
-
- # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
- mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix"
- gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
-
- # if it's coming from spicy, we don't care to have that in the service name
- mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix"
- gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
-
- mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix"
- gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
-
- if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') {
- mutate { id => "mutate_add_field_zeek_srcBytes"
- add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } }
- }
- if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') {
- mutate { id => "mutate_add_field_zeek_dstBytes"
- add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } }
- }
- if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') {
- mutate { id => "mutate_add_field_zeek_srcPackets"
- add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } }
- }
- if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') {
- mutate { id => "mutate_add_field_zeek_srcDataBytes"
- add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } }
- }
- if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') {
- mutate { id => "mutate_add_field_zeek_dstPackets"
- add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } }
- }
- if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') {
- mutate { id => "mutate_add_field_zeek_dstDataBytes"
- add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } }
- }
- if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') {
- if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents"
- split => { "[zeek_cols][tunnel_parents]" => "," } } }
- mutate { id => "mutate_add_field_zeek_conn_rootId"
- add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } }
- }
-
- } else if ([log_source] == "bacnet") {
- #############################################################################################################################
- # bacnet.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bacnet"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bacnet"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bacnet"
- init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]"
- code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bacnet"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bacnet"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bestguess") {
- #############################################################################################################################
- # bestguess.log
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bestguess"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bestguess"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bestguess"
- init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]"
- code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_ics_best_guess_log"
- add_tag => [ "ics_best_guess" ] }
-
- } else if ([log_source] == "bsap_ip_header") {
- #############################################################################################################################
- # bsap_ip_header.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bsap_ip_header"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bsap_ip_header"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bsap_ip_header"
- init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]"
- code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bsap_ip_header"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bsap"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bsap_ip_rdb") {
- #############################################################################################################################
- # bsap_ip_rdb.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bsap_ip_rdb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bsap_ip_rdb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bsap_ip_rdb"
- init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]"
- code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bsap_ip_rdb"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bsap"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bsap_serial_header") {
- #############################################################################################################################
- # bsap_serial_header.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bsap_serial_header"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bsap_serial_header"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bsap_serial_header"
- init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]"
- code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bsap_serial_header"
- add_field => {
- "[zeek_cols][proto]" => "serial"
- "[zeek_cols][service]" => "bsap"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bsap_serial_rdb") {
- #############################################################################################################################
- # bsap_serial_rdb.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bsap_serial_rdb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bsap_serial_rdb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bsap_serial_rdb"
- init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]"
- code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bsap_serial_rdb"
- add_field => {
- "[zeek_cols][proto]" => "serial"
- "[zeek_cols][service]" => "bsap"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bsap_serial_rdb_ext") {
- #############################################################################################################################
- # bsap_serial_rdb_ext.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bsap_serial_rdb_ext"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bsap_serial_rdb_ext"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bsap_serial_rdb_ext"
- init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bsap_serial_rdb_ext"
- add_field => {
- "[zeek_cols][proto]" => "serial"
- "[zeek_cols][service]" => "bsap"
- }
- add_tag => [ "ics" ]
- }
-
- # for now, drop hex-encoded binary data for size
- if ([zeek_cols][data]) {
- mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data"
- remove_field => [ "[zeek_cols][data]" ] }
- }
-
- } else if ([log_source] == "bacnet_device_control") {
- #############################################################################################################################
- # bacnet_device_control.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bacnet_device_control"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bacnet_device_control"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bacnet_device_control"
- init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]"
- code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bacnet_device_control"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bacnet"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bacnet_discovery") {
- #############################################################################################################################
- # bacnet_discovery.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bacnet_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bacnet_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bacnet_discovery"
- init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]"
- code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bacnet_discovery"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bacnet"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "bacnet_property") {
- #############################################################################################################################
- # bacnet_property.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_bacnet_property"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_bacnet_property"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_bacnet_property"
- init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]"
- code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_bacnet_property"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "bacnet"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "cip") {
- #############################################################################################################################
- # cip.log
- # https://github.com/cisagov/ICSNPP
- #
- # todo: class_id, instance_id is a hex integer, should it be converted to an integer?
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_cip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_cip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_cip"
- init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]"
- code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_cip"
- add_field => { "[zeek_cols][service]" => "cip" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "cip_identity") {
- #############################################################################################################################
- # cip_identity.log
- # https://github.com/cisagov/ICSNPP
- #
- # TODO: device_status and device_state are a hex int string, convert to int?
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_cip_identity"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_cip_identity"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_cip_identity"
- init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]"
- code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_cip_identity"
- add_field => { "[zeek_cols][service]" => "cip" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "cip_io") {
- #############################################################################################################################
- # cip_io.log
- # https://github.com/cisagov/ICSNPP
- #
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_cip_io"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_cip_io"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_cip_io"
- init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]"
- code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_cip_io"
- add_field => { "[zeek_cols][service]" => "cip" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "dce_rpc") {
- #############################################################################################################################
- # dce_rpc.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_dce_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dce_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dce_rpc"
- init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]"
- code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_dce_rpc"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "dce_rpc"
- }
- }
-
- } else if ([log_source] == "dhcp") {
- #############################################################################################################################
- # dhcp.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_dhcp_fields"
- rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" }
- rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" }
- rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" }
- rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" }
- rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_dhcp_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dhcp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dhcp"
- init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]"
- code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_dhcp_msg_types"
- split => { "[zeek_cols][msg_types]" => "," } }
- if ([zeek_cols][uid]) and
- ([zeek_cols][uid] != '(empty)') and
- ([zeek_cols][uid] != '') {
- mutate { id => "mutate_split_zeek_dhcp_uids"
- split => { "[zeek_cols][uid]" => "," } }
- }
- }
-
- if ([zeek_cols][uid] and [zeek_cols][uid][0]) {
- mutate { id => "mutate_add_field_zeek_dhcp_uids"
- add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } }
- }
-
- if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) {
- mutate {
- id => "mutate_add_field_zeek_dhcp_ports"
- add_field => {
- "[zeek_cols][orig_p]" => 68
- "[zeek_cols][resp_p]" => 67
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_dhcp"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "dhcp"
- }
- }
-
- } else if ([log_source] == "dnp3") {
- #############################################################################################################################
- # dnp3.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_dnp3"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dnp3"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dnp3"
- init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]"
- code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_dnp3"
- add_field => { "[zeek_cols][service]" => "dnp3" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "dnp3_control") {
- #############################################################################################################################
- # dnp3_control.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_dnp3_control"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dnp3_control"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dnp3_control"
- init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]"
- code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_dnp3_control"
- add_field => { "[zeek_cols][service]" => "dnp3" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "dnp3_objects") {
- #############################################################################################################################
- # dnp3_objects.log
- # https://github.com/cisagov/ICSNPP
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_dnp3_objects"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dnp3_objects"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dnp3_objects"
- init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]"
- code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_dnp3_objects"
- add_field => { "[zeek_cols][service]" => "dnp3" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "dns") {
- #############################################################################################################################
- # dns.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_dns"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dns"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dns"
- init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]"
- code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_dns_commas"
- split => { "[zeek_cols][TTLs]" => ","
- "[zeek_cols][answers]" => "," } }
- }
-
- # remove C_ prefix from qclass_name
- mutate { id => "mutate_gsub_field_zeek_dns_qclass_name"
- gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] }
-
- mutate {
- id => "mutate_add_fields_zeek_dns"
- add_field => { "[zeek_cols][service]" => "dns" }
- }
-
- } else if ([log_source] == "dpd") {
- #############################################################################################################################
- # dpd.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_dpd_fields"
- rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_dpd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_dpd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_dpd"
- init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]"
- code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_lowercase_zeek_dpd_service"
- lowercase => [ "[zeek_cols][service]" ] }
-
- # normalize service string(s)
- if ([zeek_cols][service] =~ /^spicy_/) {
- # if it's coming from spicy, we don't care to have that in the service name
- mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix"
- gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
-
- # some spicy services are named like blah_udp or blah_tcp,
- # and we don't care about the _udp/_tcp suffix
- mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix"
- gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] }
- }
-
- } else if ([log_source] == "enip") {
- #############################################################################################################################
- # enip.log
- # https://github.com/cisagov/ICSNPP
- #
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_enip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_enip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_enip"
- init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]"
- code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_enip"
- add_field => { "[zeek_cols][service]" => "enip" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_registers") {
- #############################################################################################################################
- # ecat_registers.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_registers_fields"
- rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" }
- rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" }
- rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" }
- rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" }
- rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" }
- rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_registers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_registers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_registers"
- init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_registers"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_log_address") {
- #############################################################################################################################
- # ecat_log_address.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_log_address_fields"
- rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" }
- rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" }
- rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" }
- rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" }
- rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_log_address"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_log_address"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_log_address"
- init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_log_address"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_dev_info") {
- #############################################################################################################################
- # ecat_dev_info.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_dev_info_fields"
- rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_dev_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_dev_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_dev_info"
- init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_dev_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_aoe_info") {
- #############################################################################################################################
- # ecat_aoe_info.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_aoe_info_fields"
- rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" }
- rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" }
- rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" }
- rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" }
- rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" }
- rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_aoe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_aoe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_aoe_info"
- init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_aoe_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_coe_info") {
- #############################################################################################################################
- # ecat_coe_info.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_coe_info_fields"
- rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_coe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_coe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_coe_info"
- init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_coe_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_foe_info") {
- #############################################################################################################################
- # ecat_foe_info.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_foe_info_fields"
- rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_foe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_foe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_foe_info"
- init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_foe_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_soe_info") {
- #############################################################################################################################
- # ecat_soe_info.log
- # https://github.com/cisagov/icsnpp-ethercat
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_soe_info_fields"
- rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" }
- rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_soe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_soe_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_soe_info"
- init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_soe_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ecat_arp_info") {
- #############################################################################################################################
- # ecat_arp_info.log
- # https://github.com/cisagov/icsnpp-ethercat
- #
- # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and
- # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ecat_arp_info_fields"
- rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" }
- rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" }
- rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" }
- rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" }
- rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" }
- rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ecat_arp_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ecat_arp_info"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ecat_arp_info"
- init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]"
- code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ecat_arp_info"
- add_field => {
- "[zeek_cols][service]" => "ethercat"
- }
- }
-
- # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary?
-
- } else if ([log_source] == "files") {
- #############################################################################################################################
- # files.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_v51_files_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_files"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_files"
- init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]"
- code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') {
- mutate { id => "mutate_split_zeek_files_conn_uids"
- split => { "[zeek_cols][conn_uids]" => "," } }
- }
- if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') {
- mutate { id => "mutate_split_zeek_files_tx_hosts"
- split => { "[zeek_cols][tx_hosts]" => "," } }
- }
- if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') {
- mutate { id => "mutate_split_zeek_files_rx_hosts"
- split => { "[zeek_cols][rx_hosts]" => "," } }
- }
- mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers"
- split => { "[zeek_cols][parent_fuid]" => ","
- "[zeek_cols][analyzers]" => "," } }
- }
-
- if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) {
- mutate {
- id => "mutate_add_field_zeek_files_conn_uids_to_uid"
- add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}"
- "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" }
- }
- } else if (![zeek_cols][uid]) {
- mutate {
- id => "mutate_add_fields_zeek_files_fuid_to_uid"
- add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" }
- }
- }
-
- if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) {
- mutate { id => "mutate_add_field_zeek_tx_hosts"
- add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } }
- }
-
- if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) {
- mutate { id => "mutate_add_field_zeek_rx_hosts"
- add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } }
- }
-
-
- } else if ([log_source] == "ftp") {
- #############################################################################################################################
- # ftp.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ftp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ftp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ftp"
- init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]"
- code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ftp"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "ftp"
- }
- }
-
- } else if ([log_source] == "ge_srtp") {
- #############################################################################################################################
- # ge_srtp_general.log
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ge_srtp_log"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ge_srtp_log"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ge_srtp_log"
- init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]"
- code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_remove_field_ge_srtp_proto"
- remove_field => [ "[zeek_cols][proto]" ] }
- mutate {
- id => "mutate_add_fields_zeek_ge_srtp_log"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "ge_srtp"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "genisys") {
- #############################################################################################################################
- # genisys.log
- # https://github.com/cisagov/icsnpp-genisys
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_genisys_fields"
- rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_genisys"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_genisys"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_genisys"
- init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]"
- code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_genisys"
- add_field => {
- "[zeek_cols][service]" => "genisys"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "gquic") {
- #############################################################################################################################
- # gquic.log
- # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_gquic"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_gquic"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_gquic"
- init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]"
- code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_gquic"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "quic"
- }
- }
-
- } else if ([log_source] == "hart_ip_common_commands") {
- #############################################################################################################################
- # hart_ip_common_commands.log
- # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_hart_ip_common_commands"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_hart_ip_common_commands"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_hart_ip_common_commands"
- init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]"
- code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_hart_ip_common_commands"
- add_field => {
- "[zeek_cols][service]" => "hart_ip"
- }
- add_tag => [ "ics" ]
- }
-
- # The "proto" field in these logs is useless.
- # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
- # The other fields are basically just placeholders we don't want to store the raw data for.
- mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto"
- remove_field => [ "[zeek_cols][proto]",
- "[zeek][hart_ip][token_passing_pdu_contents_data_data]",
- "[zeek][hart_ip][message_packet_bytes]",
- "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] }
-
-
- } else if ([log_source] == "hart_ip_direct_pdu_command") {
- #############################################################################################################################
- # hart_ip_direct_pdu_command.log
- # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_hart_ip_direct_pdu_command"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_hart_ip_direct_pdu_command"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_hart_ip_direct_pdu_command"
- init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]"
- code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command"
- add_field => {
- "[zeek_cols][service]" => "hart_ip"
- }
- add_tag => [ "ics" ]
- }
-
- # The "proto" field in these logs is useless.
- # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
- if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto"
- remove_field => [ "[zeek_cols][proto]" ] } }
-
- } else if ([log_source] == "hart_ip") {
- #############################################################################################################################
- # hart_ip.log
- # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_hart_ip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_hart_ip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_hart_ip"
- init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]"
- code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_hart_ip"
- add_field => {
- "[zeek_cols][service]" => "hart_ip"
- }
- add_tag => [ "ics" ]
- }
-
- # The "proto" field in these logs is useless.
- # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
- if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto"
- remove_field => [ "[zeek_cols][proto]" ] } }
-
- } else if ([log_source] == "hart_ip_session_record") {
- #############################################################################################################################
- # hart_ip_session_record.log
- # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_hart_ip_session_record"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_hart_ip_session_record"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_hart_ip_session_record"
- init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]"
- code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_hart_ip_session_record"
- add_field => {
- "[zeek_cols][service]" => "hart_ip"
- }
- add_tag => [ "ics" ]
- }
-
- # The "proto" field in these logs is useless.
- # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
- if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto"
- remove_field => [ "[zeek_cols][proto]" ] } }
-
- } else if ([log_source] == "hart_ip_universal_commands") {
- #############################################################################################################################
- # hart_ip_universal_commands.log
- # main.zeek (https://github.com/cisagov/icsnpp-hart-ip)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_hart_ip_universal_commands"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_hart_ip_universal_commands"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_hart_ip_universal_commands"
- init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]"
- code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_hart_ip_universal_commands"
- add_field => {
- "[zeek_cols][service]" => "hart_ip"
- }
- add_tag => [ "ics" ]
- }
-
- # The "proto" field in these logs is useless.
- # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
- if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto"
- remove_field => [ "[zeek_cols][proto]" ] } }
-
- } else if ([log_source] == "http") {
- #############################################################################################################################
- # http.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_http_fields"
- rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_http_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_http"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_http"
- init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]"
- code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_http_commas"
- split => { "[zeek_cols][client_header_names]" => ","
- "[zeek_cols][orig_filenames]" => ","
- "[zeek_cols][orig_fuids]" => ","
- "[zeek_cols][orig_mime_types]" => ","
- "[zeek_cols][proxied]" => ","
- "[zeek_cols][resp_filenames]" => ","
- "[zeek_cols][resp_fuids]" => ","
- "[zeek_cols][resp_mime_types]" => ","
- "[zeek_cols][server_header_names]" => ","
- "[zeek_cols][tags]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_http"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "http"
- }
- }
-
- } else if ([log_source] == "intel") {
- #############################################################################################################################
- # intel.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_intel_fields"
- rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" }
- rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" }
- rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" }
- rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" }
- rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" }
- rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" }
- rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_intel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_intel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_intel"
- init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]"
- code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_intel_commas"
- split => { "[zeek_cols][sources]" => ","
- "[zeek_cols][matched]" => "," } }
- }
-
- # For some reason, even in JSON, I have cif_tags strings like:
- # Network activity,osint:source-type=\"block-or-filter-list\"
- # so whatever reason it's not already an array. Split it here.
- mutate { id => "mutate_split_zeek_intel_cif_tags"
- split => { "[zeek_cols][cif_tags]" => "," } }
-
- } else if ([log_source] == "ipsec") {
- #############################################################################################################################
- # ipsec.log
- # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ipsec"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ipsec"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ipsec"
- init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]"
- code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_ipsec_commas"
- split => { "[zeek_cols][vendor_ids]" => ","
- "[zeek_cols][notify_messages]" => ","
- "[zeek_cols][transforms]" => ","
- "[zeek_cols][ke_dh_groups]" => ","
- "[zeek_cols][proposals]" => ","
- "[zeek_cols][certificates]" => ","
- "[zeek_cols][transform_attributes]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ipsec"
- add_field => {
- "[zeek_cols][service]" => "ipsec"
- }
- }
-
- } else if ([log_source] == "irc") {
- #############################################################################################################################
- # irc.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_irc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_irc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_irc"
- init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]"
- code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_irc"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "irc"
- }
- }
-
- } else if ([log_source] == "cotp") {
- #############################################################################################################################
- # cotp.log
- # https://github.com/cisagov/icsnpp-s7comm
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_cotp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_cotp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_cotp"
- init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]"
- code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_cotp"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "cotp"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "ja4ssh") {
- #############################################################################################################################
- # ja4ssh.log
- # https://github.com/FoxIO-LLC/ja4
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ja4ssh"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ja4ssh"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ja4ssh"
- init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]"
- code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ja4ssh"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "ssh"
- }
- }
-
- } else if ([log_source] == "kerberos") {
- #############################################################################################################################
- # kerberos.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_kerberos_fields"
- rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" }
- rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_kerberos"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_kerberos"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_kerberos"
- init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]"
- code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_kerberos_commas"
- split => { "[zeek_cols][client_cert_fuid]" => ","
- "[zeek_cols][server_cert_fuid]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_krb5"
- add_field => { "[zeek_cols][service]" => "krb" }
- }
-
- } else if ([log_source] == "known_certs") {
- #############################################################################################################################
- # known_certs.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_known_certs_fields"
- rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_known_certs"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_known_certs"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_known_certs"
- init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]"
- code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_known_certs"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "tls"
- }
- }
-
- } else if ([log_source] == "known_hosts") {
- #############################################################################################################################
- # known_hosts.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_known_hosts_fields"
- rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_known_hosts"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_known_hosts"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_known_hosts"
- init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]"
- code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- } else if ([log_source] == "known_modbus") {
- #############################################################################################################################
- # known_modbus.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_known_modbus_fields"
- rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_known_modbus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_known_modbus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_known_modbus"
- init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]"
- code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_gsub_zeek_known_modbus_device_type"
- gsub => [ "[zeek_cols][device_type]", "Known::", "" ] }
-
- mutate { id => "mutate_gsub_zeek_known_modbus_master"
- gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] }
-
- mutate { id => "mutate_gsub_zeek_known_modbus_slave"
- gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] }
-
- mutate { id => "mutate_add_tag_ics_known_modbus_log"
- add_tag => [ "ics" ] }
-
- } else if ([log_source] == "known_routers") {
- #############################################################################################################################
- # known_routers.log
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_known_routers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_known_routers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_known_routers"
- init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]"
- code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- } else if ([log_source] == "known_services") {
- #############################################################################################################################
- # known_services.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_known_services_fields"
- rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" }
- rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" }
- rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_known_services"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_known_services"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_known_services"
- init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]"
- code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_lowercase_zeek_known_services_service"
- lowercase => [ "[zeek_cols][service]" ] }
-
- # normalize service string(s)
-
- # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
- mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix"
- gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
-
- if ([zeek_cols][service] =~ /^spicy_/) {
- # if it's coming from spicy, we don't care to have that in the service name
- mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix"
- gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
-
- # some spicy services are named like blah_udp or blah_tcp,
- # and we don't care about the _udp/_tcp suffix
- mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix"
- gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
-
- }
-
- } else if ([log_source] == "ldap") {
- #############################################################################################################################
- # ldap.log
- # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ldap_fields"
- rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" }
- rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" }
- rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" }
- rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" }
- rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" }
- rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" }
- rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ldap"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ldap"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ldap"
- init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]"
- code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ldap"
- add_field => {
- "[zeek_cols][service]" => "ldap"
- }
-
- }
-
- } else if ([log_source] == "ldap_search") {
- #############################################################################################################################
- # ldap_search.log
- # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ldap_search_fields"
- rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" }
- rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" }
- rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" }
- rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" }
- rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" }
- rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" }
- rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ldap_search"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ldap_search"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ldap_search"
- init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]"
- code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ldap_search"
- add_field => {
- "[zeek_cols][service]" => "ldap"
- }
-
- }
-
- } else if ([log_source] == "login") {
- #############################################################################################################################
- # login.log
- # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_login"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_login"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_login"
- init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]"
- code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- } else if ([log_source] == "modbus") {
- #############################################################################################################################
- # modbus.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_modbus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_modbus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_modbus"
- init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]"
- code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_modbus"
- add_field => { "[zeek_cols][service]" => "modbus" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "modbus_detailed") {
- #############################################################################################################################
- # modbus_detailed.log
- # main.zeek (https://github.com/cisagov/icsnpp-modbus)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_modbus_detailed_fields"
- rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
- rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
- rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_modbus_detailed"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_modbus_detailed"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_modbus_detailed"
- init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]"
- code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_modbus_detailed_values"
- split => { "[zeek_cols][values]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_modbus_detailed"
- add_field => {
- "[zeek_cols][service]" => "modbus"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "modbus_mask_write_register") {
- #############################################################################################################################
- # modbus_mask_write_register.log
- # main.zeek (https://github.com/cisagov/icsnpp-modbus)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_modbus_mask_write_register_fields"
- rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
- rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
- rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_modbus_mask_write_register"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_modbus_mask_write_register"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_modbus_mask_write_register"
- init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]"
- code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_modbus_mask_write_register"
- add_field => {
- "[zeek_cols][service]" => "modbus"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "modbus_read_device_identification") {
- #############################################################################################################################
- # modbus_read_device_identification.log
- # main.zeek (https://github.com/cisagov/icsnpp-modbus)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_modbus_read_device_identification_fields"
- rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
- rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
- rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_modbus_read_device_identification"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_modbus_read_device_identification"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_modbus_read_device_identification"
- init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]"
- code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_modbus_read_device_identification"
- add_field => {
- "[zeek_cols][service]" => "modbus"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "modbus_read_write_multiple_registers") {
- #############################################################################################################################
- # modbus_read_write_multiple_registers.log
- # main.zeek (https://github.com/cisagov/icsnpp-modbus)
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields"
- rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" }
- rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" }
- rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_modbus_read_write_multiple_registers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_modbus_read_write_multiple_registers"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_modbus_read_write_multiple_registers"
- init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]"
- code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas"
- split => { "[zeek_cols][read_registers]" => ","
- "[zeek_cols][write_registers]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers"
- add_field => {
- "[zeek_cols][service]" => "modbus"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "mqtt_connect") {
- #############################################################################################################################
- # mqtt_connect.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_mqtt_connect"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_mqtt_connect"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_mqtt_connect"
- init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]"
- code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_mqtt_connect"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "mqtt"
- }
- }
-
- } else if ([log_source] == "mqtt_publish") {
- #############################################################################################################################
- # mqtt_publish.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_mqtt_publish"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_mqtt_publish"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_mqtt_publish"
- init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]"
- code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_mqtt_publish"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "mqtt"
- }
- }
-
- } else if ([log_source] == "mqtt_subscribe") {
- #############################################################################################################################
- # mqtt_subscribe.log
- # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_mqtt_subscribe"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_mqtt_subscribe"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_mqtt_subscribe"
- init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]"
- code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_mqtt_subscribe_commas"
- split => { "[zeek_cols][topics]" => ","
- "[zeek_cols][qos_levels]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_mqtt_subscribe"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "mqtt"
- }
- }
-
- mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action"
- gsub => [ "[zeek_cols][action]", "MQTT::", "" ] }
-
- } else if ([log_source] == "mysql") {
- #############################################################################################################################
- # mysql.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_mysql"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_mysql"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_mysql"
- init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]"
- code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_mysql"
- add_field => { "[zeek_cols][service]" => "mysql" }
- }
-
- } else if ([log_source] == "notice") {
- #############################################################################################################################
- # notice.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_notice_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_notice"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_notice"
- init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]"
- code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_notice_actions"
- split => { "[zeek_cols][actions]" => "," } }
- }
-
- if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or
- ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) {
- mutate { id => "mutate_replace_zeek_notice_orig_h"
- replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } }
- }
- if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or
- ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) {
- mutate { id => "mutate_replace_zeek_notice_resp_h"
- replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } }
- }
- if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or
- ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) {
- mutate { id => "mutate_replace_zeek_resp_p"
- replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } }
- }
-
- } else if ([log_source] == "ntlm") {
- #############################################################################################################################
- # ntlm.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ntlm_fields"
- rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" }
- rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" }
- rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" }
- rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" }
- rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" }
- rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ntlm_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ntlm"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ntlm"
- init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]"
- code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ntlm"
- add_field => { "[zeek_cols][service]" => "ntlm" }
- }
-
- } else if ([log_source] == "ntp") {
- #############################################################################################################################
- # ntp.log
- # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ntp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ntp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ntp"
- init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]"
- code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ntp"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "ntp"
- }
- }
-
- } else if ([log_source] == "ocsp") {
- #############################################################################################################################
- # ocsp.log
- # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_ocsp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ocsp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
-
- ruby {
- id => "ruby_zip_zeek_ocsp"
- init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]"
- code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_fields_zeek_service_ocsp"
- add_field => { "[zeek_cols][service]" => "X.509" } }
-
- } else if ([log_source] == "ospf") {
- #############################################################################################################################
- # ospf.log
- # https://github.com/corelight/zeek-spicy-ospf
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ospf_fields"
- rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ospf"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ospf"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
-
- ruby {
- id => "ruby_zip_zeek_ospf"
- init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]"
- code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_ospf_commas"
- split => { "[zeek_cols][neighbors]" => ","
- "[zeek_cols][routers]" => ","
- "[zeek_cols][metrics]" => ","
- "[zeek_cols][fwd_addrs]" => ","
- "[zeek_cols][route_tags]" => ","
- "[zeek_cols][link_prefixes]" => ","
- "[zeek_cols][intra_prefixes]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ospf"
- add_field => {
- "[zeek_cols][proto]" => "ospf"
- "[zeek_cols][service]" => "ospf"
- }
- }
-
- } else if ([log_source] == "pe") {
- #############################################################################################################################
- # pe.log
- # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_pe_fields"
- rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_pe"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_pe"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_pe"
- init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]"
- code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_pe_section_names"
- split => { "[zeek_cols][section_names]" => "," } }
- }
-
- } else if ([log_source] == "profinet") {
- #############################################################################################################################
- # profinet.log
- # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_profinet"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_profinet"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_profinet"
- init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]"
- code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_profinet"
- add_field => { "[zeek_cols][service]" => "profinet" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "profinet_dce_rpc") {
- #############################################################################################################################
- # profinet_dce_rpc.log
- # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_profinet_dce_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_profinet_dce_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_profinet_dce_rpc"
- init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]"
- code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_profinet_dce_rpc"
- add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "profinet_io_cm") {
- #############################################################################################################################
- # profinet_io_cm.log
- # https://github.com/cisagov/icsnpp-profinet-io-cm
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_profinet_io_cm_fields"
- rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" }
- rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_profinet_io_cm"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}"
- }
- }
-
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_profinet_io_cm"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_profinet_io_cm"
- init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]"
- code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_profinet_io_cm_commas"
- split => { "[zeek_cols][sel_ack]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_profinet_io_cm"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "radius") {
- #############################################################################################################################
- # radius.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_radius_fields"
- rename => { "[zeek_cols][username]" => "[zeek_cols][user]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_radius"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_radius"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_radius"
- init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]"
- code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_radius"
- add_field => { "[zeek_cols][service]" => "radius" }
- }
-
- } else if ([log_source] == "rdp") {
- #############################################################################################################################
- # rdp.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_rdp_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_rdp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_rdp"
- init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]"
- code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_rdp_client_channels"
- split => { "[zeek_cols][client_channels]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_rdp"
- add_field => { "[zeek_cols][service]" => "rdp" }
- }
-
- # remove RDP prefix from client_build (version)
- mutate { id => "mutate_gsub_field_zeek_rdp_client_build"
- gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] }
-
- } else if ([log_source] == "rfb") {
- #############################################################################################################################
- # rfb.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_rfb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_rfb"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_rfb"
- init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]"
- code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_rfb"
- add_field => { "[zeek_cols][service]" => "rfb" }
- }
-
- } else if ([log_source] == "s7comm") {
- #############################################################################################################################
- # s7comm.log
- # https://github.com/cisagov/icsnpp-s7comm
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_s7comm"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_s7comm"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_s7comm"
- init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]"
- code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_s7comm"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "s7comm"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "s7comm_plus") {
- #############################################################################################################################
- # s7comm_plus.log
- # https://github.com/cisagov/icsnpp-s7comm
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_s7comm_plus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_s7comm_plus"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_s7comm_plus"
- init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]"
- code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_s7comm_plus"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "s7comm_plus"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "s7comm_read_szl") {
- #############################################################################################################################
- # s7comm_read_szl.log
- # https://github.com/cisagov/icsnpp-s7comm
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_s7comm_read_szl"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_s7comm_read_szl"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_s7comm_read_szl"
- init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]"
- code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_s7comm_read_szl"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "s7comm"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "s7comm_upload_download") {
- #############################################################################################################################
- # s7comm_upload_download.log
- # https://github.com/cisagov/icsnpp-s7comm
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_s7comm_upload_download_fields"
- rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_s7comm_upload_download"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_s7comm_upload_download"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_s7comm_upload_download"
- init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]"
- code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_s7comm_upload_download"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "s7comm"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "signatures") {
- #############################################################################################################################
- # signatures.log
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_signatures"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_signatures"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_signatures"
- init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]"
- code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- if ("_carved" in [tags]) {
- # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it:
- # - _carved signature logs' sub_message contains fuid(s) comma-separated
- mutate { id => "mutate_split_zeek_signatures_sub_message"
- split => { "[zeek_cols][sub_message]" => "," } }
- }
- }
-
- } else if ([log_source] == "sip") {
- #############################################################################################################################
- # sip.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_sip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_sip"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_sip"
- init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]"
- code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_sip_commas"
- split => { "[zeek_cols][request_path]" => ","
- "[zeek_cols][response_path]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_sip"
- add_field => { "[zeek_cols][service]" => "sip" }
- }
-
- } else if ([log_source] == "smb_cmd") {
- #############################################################################################################################
- # smb_cmd.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo
- #
- # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be
- # merged up as its own top-level entity so I don't have to duplicate the parsing effort below
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields"
- rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" }
- rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" }
- rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" }
- rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_smb_cmd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_smb_cmd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_smb_cmd"
- init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]"
- code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_smb_cmd"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "smb"
- }
- }
-
- # remove SMB prefix from version
- mutate { id => "mutate_gsub_field_zeek_smb_cmd_version"
- gsub => [ "[zeek_cols][version]", "^SMB", "" ] }
-
- mutate { id => "mutate_gsub_zeek_smb_cmd_command"
- gsub => [ "[zeek_cols][command]", "^SMB::", "" ] }
-
- } else if ([log_source] == "smb_files") {
- #############################################################################################################################
- # smb_files.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_smb_files_with_all_fields"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_smb_files"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_smb_files"
- init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]"
- code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_smb_files"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "smb"
- }
- }
-
- mutate { id => "mutate_gsub_zeek_smb_files_action"
- gsub => [ "[zeek_cols][action]", "^SMB::", "" ] }
-
- } else if ([log_source] == "smb_mapping") {
- #############################################################################################################################
- # smb_mapping.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_smb_mapping"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_smb_mapping"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_smb_mapping"
- init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]"
- code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_smb_mapping"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "smb"
- }
- }
-
- } else if ([log_source] == "smtp") {
- #############################################################################################################################
- # smtp.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_smtp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_smtp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_smtp"
- init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]"
- code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_smtp_commas"
- split => { "[zeek_cols][rcptto]" => ","
- "[zeek_cols][to]" => ","
- "[zeek_cols][cc]" => ","
- "[zeek_cols][path]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_smtp"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "smtp"
- }
- }
-
- } else if ([log_source] == "snmp") {
- #############################################################################################################################
- # snmp.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_snmp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_snmp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_snmp"
- init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]"
- code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_snmp"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "snmp"
- }
- }
-
- } else if ([log_source] == "socks") {
- #############################################################################################################################
- # socks.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_socks"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_socks"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_socks"
- init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]"
- code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_socks"
- add_field => { "[zeek_cols][service]" => "socks" }
- }
-
- } else if ([log_source] == "software") {
- #############################################################################################################################
- # software.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_software_fields"
- rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" }
- rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" }
- rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" }
- rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" }
- rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" }
- rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" }
- rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_software"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_software"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_software"
- init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]"
- code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- } else if ([log_source] == "wireguard") {
- #############################################################################################################################
- # wireguard.log
- # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_wireguard"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_wireguard"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_wireguard"
- init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]"
- code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_gsub_zeek_wireguard_packet_type"
- gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] }
-
- mutate {
- id => "mutate_add_field_zeek_service_wireguard"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "wireguard"
- }
- }
-
- } else if ([log_source] == "ssh") {
- #############################################################################################################################
- # ssh.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ssh_fields"
- rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ssh_with_all_fields_with_hassh"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ssh"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ssh"
- init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]"
- code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_ssh_commas"
- split => { "[zeek_cols][hasshAlgorithms]" => ","
- "[zeek_cols][hasshServerAlgorithms]" => ","
- "[zeek_cols][cshka]" => ","
- "[zeek_cols][sshka]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ssh"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "ssh"
- }
- }
-
- } else if ([log_source] == "ssl") {
- #############################################################################################################################
- # ssl.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_ssl_fields"
- rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_ssl_v1_with_ja4"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_ssl"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_ssl"
- init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]"
- code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_ssl_commas"
- split => { "[zeek_cols][cert_chain_fuids]" => ","
- "[zeek_cols][client_cert_chain_fuids]" => ","
- "[zeek_cols][cert_chain_fps]" => ","
- "[zeek_cols][client_cert_chain_fps]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_ssl"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "tls"
- }
- }
-
- } else if ([log_source] == "stun") {
- #############################################################################################################################
- # stun.log
- # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_stun_fields"
- rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" }
- rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_stun"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_stun"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_stun"
- init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]"
- code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_field_zeek_stun_commas"
- split => { "[zeek_cols][attr_type]" => ","
- "[zeek_cols][attr_val]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_stun"
- add_field => {
- "[zeek_cols][service]" => "stun"
- }
- }
-
- } else if ([log_source] == "stun_nat") {
- #############################################################################################################################
- # stun.log
- # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_stun_nat_fields"
- rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" }
- rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" }
- rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_stun_nat"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_stun_nat"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_stun_nat"
- init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]"
- code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_field_zeek_stun_nat_commas"
- split => { "[zeek_cols][wan_addrs]" => ","
- "[zeek_cols][wan_ports]" => ","
- "[zeek_cols][lan_addrs]" => "," } }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_stun_nat"
- add_field => {
- "[zeek_cols][service]" => "stun"
- }
- }
-
- } else if ([log_source] == "synchrophasor") {
- #############################################################################################################################
- # synchrophasor.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor"
- init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
-
- } else if ([log_source] == "synchrophasor_cmd") {
- #############################################################################################################################
- # synchrophasor_cmd.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_cmd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_cmd"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_cmd"
- init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_cmd"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "synchrophasor_cfg") {
- #############################################################################################################################
- # synchrophasor_cfg.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_cfg"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_cfg"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_cfg"
- init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_cfg"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "synchrophasor_cfg_detail") {
- #############################################################################################################################
- # synchrophasor_cfg_detail.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_cfg_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_cfg_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_cfg_detail"
- init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_cfg_detail"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "synchrophasor_data") {
- #############################################################################################################################
- # synchrophasor_data.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_data"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_data"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_data"
- init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_data"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "synchrophasor_data_detail") {
- #############################################################################################################################
- # synchrophasor_data_detail.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_data_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_data_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_data_detail"
- init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_data_detail"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "synchrophasor_hdr") {
- #############################################################################################################################
- # synchrophasor_hdr.log
- # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_synchrophasor_hdr"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_synchrophasor_hdr"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_synchrophasor_hdr"
- init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]"
- code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_synchrophasor_hdr"
- add_field => {
- "[zeek_cols][service]" => "synchrophasor"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "syslog") {
- #############################################################################################################################
- # syslog.log
- # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_syslog"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_syslog"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_syslog"
- init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]"
- code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_syslog"
- add_field => { "[zeek_cols][service]" => "syslog" }
- }
-
- } else if ([log_source] == "tds") {
- #############################################################################################################################
- # tds.log
- # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_tds"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_tds"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_tds"
- init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]"
- code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_tds"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "tds"
- }
- }
-
- } else if ([log_source] == "tds_rpc") {
- #############################################################################################################################
- # tds_rpc.log
- # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_tds_rpc_fields"
- rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_tds_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_tds_rpc"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_tds_rpc"
- init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]"
- code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_tds_rpc"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "tds"
- }
- }
-
- } else if ([log_source] == "tds_sql_batch") {
- #############################################################################################################################
- # tds_sql_batch.log
- # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_tds_sql_batch"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_tds_sql_batch"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_tds_sql_batch"
- init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]"
- code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_tds_sql_batch"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "tds"
- }
- }
-
- } else if ([log_source] == "tftp") {
- #############################################################################################################################
- # tftp.log
- # https://github.com/zeek/spicy-tftp
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_tftp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_tftp"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_tftp"
- init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]"
- code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_tftp"
- add_field => {
- "[zeek_cols][proto]" => "udp"
- "[zeek_cols][service]" => "tftp"
- }
- }
-
- } else if ([log_source] == "tunnel") {
- #############################################################################################################################
- # tunnel.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_tunnel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_tunnel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_tunnel"
- init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]"
- code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_gsub_zeek_tunnel_action"
- gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] }
-
- mutate { id => "mutate_gsub_zeek_tunnel_type"
- gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] }
-
- mutate {
- id => "mutate_add_fields_zeek_tunnel"
- add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" }
- }
-
- mutate { id => "mutate_lowercase_zeek_tunnel_service"
- lowercase => [ "[zeek_cols][service]" ] }
-
- } else if ([log_source] == "weird") {
- #############################################################################################################################
- # weird.log
- # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_weird"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_weird"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_weird"
- init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]"
- code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- } else if ([log_source] == "x509") {
- #############################################################################################################################
- # x509.log
- # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_x509_fields"
- rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" }
- rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" }
- rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" }
- rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" }
- rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" }
- rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" }
- rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" }
- rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" }
- rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" }
- rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" }
- rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" }
- rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" }
- rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" }
- rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" }
- rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" }
- rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" }
- rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" }
- rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_x509_v1"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_x509"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_x509"
- init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]"
- code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "mutate_split_zeek_x509_san_ip"
- split => { "[zeek_cols][san_ip]" => ","
- "[zeek_cols][fingerprint]" => "," } }
- }
-
- mutate { id => "mutate_add_fields_zeek_x509"
- add_field => { "[zeek_cols][service]" => "X.509" } }
-
- } else if ([log_source] =~ /^opcua_binary/) {
-
- if ([log_source] == "opcua_binary") {
- #############################################################################################################################
- # opcua_binary.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary"
- init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_activate_session") {
- #############################################################################################################################
- # opcua_binary_activate_session.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_activate_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_activate_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_activate_session"
- init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_activate_session"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") {
- #############################################################################################################################
- # opcua_binary_activate_session_client_software_cert.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_activate_session_client_software_cert"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert"
- init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_activate_session_locale_id") {
- #############################################################################################################################
- # opcua_binary_activate_session_locale_id.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_activate_session_locale_id"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_activate_session_locale_id"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id"
- init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_aggregate_filter") {
- #############################################################################################################################
- # opcua_binary_aggregate_filter.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_aggregate_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_aggregate_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_aggregate_filter"
- init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") {
- #############################################################################################################################
- # opcua_binary_event_filter_attribute_operand.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_attribute_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand"
- init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") {
- #############################################################################################################################
- # opcua_binary_event_filter_attribute_operand_browse_paths.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
- init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_browse") {
- #############################################################################################################################
- # opcua_binary_browse.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_browse"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_browse"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_browse"
- init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_browse"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_browse_description") {
- #############################################################################################################################
- # opcua_binary_browse_description.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_browse_description"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_browse_description"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_browse_description"
- init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_browse_description"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_browse_response_references") {
- #############################################################################################################################
- # opcua_binary_browse_response_references.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_browse_response_references"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_browse_response_references"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_browse_response_references"
- init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_browse_response_references"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_browse_request_continuation_point") {
- #############################################################################################################################
- # opcua_binary_browse_request_continuation_point.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_browse_request_continuation_point"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point"
- init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_browse_result") {
- #############################################################################################################################
- # opcua_binary_browse_result.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_browse_result"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_browse_result"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_browse_result"
- init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_browse_result"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_close_session") {
- #############################################################################################################################
- # opcua_binary_close_session.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_close_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_close_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_close_session"
- init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_close_session"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_where_clause") {
- #############################################################################################################################
- # opcua_binary_event_filter_where_clause.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_where_clause"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_where_clause"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause"
- init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") {
- #############################################################################################################################
- # opcua_binary_event_filter_where_clause_elements.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements"
- init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_monitored_items") {
- #############################################################################################################################
- # opcua_binary_create_monitored_items.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_monitored_items"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_monitored_items"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_monitored_items"
- init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") {
- #############################################################################################################################
- # opcua_binary_create_monitored_items_create_item.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_monitored_items_create_item"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item"
- init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_session") {
- #############################################################################################################################
- # opcua_binary_create_session.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_session"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_session"
- init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_session"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_session_discovery") {
- #############################################################################################################################
- # opcua_binary_create_session_discovery.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_session_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_session_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_session_discovery"
- init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_session_endpoints") {
- #############################################################################################################################
- # opcua_binary_create_session_endpoints.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_session_endpoints"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_session_endpoints"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_session_endpoints"
- init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_session_user_token") {
- #############################################################################################################################
- # opcua_binary_create_session_user_token.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_session_user_token"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_session_user_token"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_session_user_token"
- init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_create_subscription") {
- #############################################################################################################################
- # opcua_binary_create_subscription.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_create_subscription"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_create_subscription"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_create_subscription"
- init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_create_subscription"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_data_change_filter") {
- #############################################################################################################################
- # opcua_binary_data_change_filter.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_data_change_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_data_change_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_data_change_filter"
- init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_data_change_filter"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_diag_info_detail") {
- #############################################################################################################################
- # opcua_binary_diag_info_detail.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_diag_info_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_diag_info_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_diag_info_detail"
- init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_element_operand") {
- #############################################################################################################################
- # opcua_binary_event_filter_element_operand.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_element_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_element_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand"
- init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter") {
- #############################################################################################################################
- # opcua_binary_event_filter.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter"
- init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints") {
- #############################################################################################################################
- # opcua_binary_get_endpoints.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints"
- init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints_description") {
- #############################################################################################################################
- # opcua_binary_get_endpoints_description.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints_description"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints_description"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints_description"
- init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints_discovery") {
- #############################################################################################################################
- # opcua_binary_get_endpoints_discovery.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery"
- init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") {
- #############################################################################################################################
- # opcua_binary_get_endpoints_locale_id.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints_locale_id"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id"
- init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") {
- #############################################################################################################################
- # opcua_binary_get_endpoints_profile_uri.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri"
- init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_get_endpoints_user_token") {
- #############################################################################################################################
- # opcua_binary_get_endpoints_user_token.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_get_endpoints_user_token"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token"
- init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_literal_operand") {
- #############################################################################################################################
- # opcua_binary_event_filter_literal_operand.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_literal_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand"
- init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_opensecure_channel") {
- #############################################################################################################################
- # opcua_binary_opensecure_channel.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_opensecure_channel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_opensecure_channel"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_opensecure_channel"
- init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_read") {
- #############################################################################################################################
- # opcua_binary_read.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_read"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_read"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_read"
- init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_read"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_read_nodes_to_read") {
- #############################################################################################################################
- # opcua_binary_read_nodes_to_read.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_read_nodes_to_read"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_read_nodes_to_read"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read"
- init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_read_results") {
- #############################################################################################################################
- # opcua_binary_read_results.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_read_results"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_read_results"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_read_results"
- init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_read_results"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_select_clause") {
- #############################################################################################################################
- # opcua_binary_event_filter_select_clause.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_select_clause"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_select_clause"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause"
- init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") {
- #############################################################################################################################
- # opcua_binary_event_filter_simple_attribute_operand.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand"
- init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") {
- #############################################################################################################################
- # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
- init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_status_code_detail") {
- #############################################################################################################################
- # opcua_binary_status_code_detail.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_status_code_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_status_code_detail"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_status_code_detail"
- init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_status_code_detail"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_variant_array_dims") {
- #############################################################################################################################
- # opcua_binary_variant_array_dims.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_variant_array_dims"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_variant_array_dims"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_variant_array_dims"
- init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_variant_data") {
- #############################################################################################################################
- # opcua_binary_variant_data.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_variant_data"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_variant_data"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_variant_data"
- init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_variant_data"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_variant_data_value") {
- #############################################################################################################################
- # opcua_binary_variant_data_value.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_variant_data_value"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_variant_data_value"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_variant_data_value"
- init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_variant_data_value"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_variant_extension_object") {
- #############################################################################################################################
- # opcua_binary_variant_extension_object.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_variant_extension_object"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_variant_extension_object"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_variant_extension_object"
- init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else if ([log_source] == "opcua_binary_variant_metadata") {
- #############################################################################################################################
- # opcua_binary_variant_metadata.log
- # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_opcua_binary_variant_metadata"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_opcua_binary_variant_metadata"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_opcua_binary_variant_metadata"
- init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]"
- code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate {
- id => "mutate_add_fields_zeek_opcua_binary_variant_metadata"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "ics" ]
- }
-
- } else {
- # some other unknown zeek opcua- log file. should start with ts at least!
-
- if ("_jsonparsesuccess" not in [tags]) {
- csv {
- id => "csv_zeek_unknown_opcua"
- columns => ["ts"]
-
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- separator => " "
- # there's no way to *disable* the csv quote char, so set it to something we'll never see
- quote_char => "�"
-
- target => "[zeek_cols]"
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_unknown_opcua"
- add_field => {
- "[zeek_cols][proto]" => "tcp"
- "[zeek_cols][service]" => "opcua-binary"
- }
- add_tag => [ "_unknown_log_type" ]
- }
-
- } # if / else if for opcua log types
-
- } else if ([log_source] == "analyzer") {
- #############################################################################################################################
- # analyzer.log
- # Zeek Logging analyzer confirmations and violations into analyzer.log
- # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_analyzer"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_analyzer"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_analyzer"
- init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that
- # the UID/FUID and IP/ports make it suitable to be searched with the network data
-
- } else if ([log_source] == "broker") {
- #############################################################################################################################
- # broker.log
- # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_broker_fields"
- rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" }
- rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" }
- rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" }
- rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" }
- rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_diagnostic_broker"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_broker"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_broker"
- init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_broker"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "capture_loss") {
- #############################################################################################################################
- # capture_loss.log
- # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers.
- # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_capture_loss"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_capture_loss"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_capture_loss"
- init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "cluster") {
- #############################################################################################################################
- # cluster.log
- # Logging for establishing and controlling a cluster of Zeek instances
- # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_cluster_fields"
- rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_diagnostic_cluster"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_cluster"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_cluster"
- init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_cluster"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "config") {
- #############################################################################################################################
- # config.log
- # Logging for Zeek configuration changes
- # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_config"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_config"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_config"
- init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_config"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "packet_filter") {
- #############################################################################################################################
- # packet_filter.log
- # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_packet_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_packet_filter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_packet_filter"
- init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "print") {
- #############################################################################################################################
- # print.log
- # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_print"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_print"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_print"
- init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- mutate { id => "split_zeek_diagnostic_print_vals"
- split => { "[zeek_cols][vals]" => "," } }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_print"
- add_tag => [ "_zeekdiagnostic" ] }
-
-
- } else if ([log_source] == "reporter") {
- #############################################################################################################################
- # reporter.log
- # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info
-
- if ("_jsonparsesuccess" in [tags]) {
- mutate {
- id => "mutate_rename_zeek_json_reporter_fields"
- rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" }
- }
-
- } else {
- dissect {
- id => "dissect_zeek_diagnostic_reporter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_reporter"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_reporter"
- init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_reporter"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else if ([log_source] == "stats") {
- #############################################################################################################################
- # stats.log
- # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info
-
- if ("_jsonparsesuccess" not in [tags]) {
- dissect {
- id => "dissect_zeek_diagnostic_stats"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}"
- }
- }
- if ("_dissectfailure" in [tags]) {
- mutate {
- id => "mutate_split_zeek_diagnostic_stats"
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
- }
- ruby {
- id => "ruby_zip_zeek_diagnostic_stats"
- init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]"
- code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)"
- }
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_diagnostic_stats"
- add_tag => [ "_zeekdiagnostic" ] }
-
- } else {
-
- if ("_jsonparsesuccess" not in [tags]) {
- # some other unknown zeek log file. should start with ts at least!
- csv {
- id => "csv_zeek_unknown"
- columns => ["ts"]
-
- # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- separator => " "
- # there's no way to *disable* the csv quote char, so set it to something we'll never see
- quote_char => "�"
-
- target => "[zeek_cols]"
- }
- }
-
- mutate { id => "mutate_add_tag_zeek_unknown"
- add_tag => [ "_unknown_log_type" ] }
-
- } # if / else if for source type (conn.log, dns.log, etc.)
-
-} # end Filter
diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/1200_zeek_mutate.conf
similarity index 99%
rename from logstash/pipelines/zeek/12_zeek_mutate.conf
rename to logstash/pipelines/zeek/1200_zeek_mutate.conf
index 182adb633..434e62eae 100644
--- a/logstash/pipelines/zeek/12_zeek_mutate.conf
+++ b/logstash/pipelines/zeek/1200_zeek_mutate.conf
@@ -1937,7 +1937,7 @@ filter {
}
}
- # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 13_zeek_normalize.conf because
+ # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 1300_zeek_normalize.conf because
# this would have already been done as a root-level fuid array in the main "rename" above if we
# had not had to move it up a level just now)
if ([zeek][smb_files][uid]) {
diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf
similarity index 99%
rename from logstash/pipelines/zeek/13_zeek_normalize.conf
rename to logstash/pipelines/zeek/1300_zeek_normalize.conf
index 9774603f8..c7b1c8bc2 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf
@@ -1262,7 +1262,7 @@ filter {
# FUIDs #############################################################################################################
# collect all other FUIDs under parent [zeek][fuid] array (some were already done at the root level in
- # the "rename" in 12_zeek_mutate.conf)
+ # the "rename" in 1200_zeek_mutate.conf)
if ([zeek][files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid"
merge => { "[zeek][fuid]" => "[zeek][files][parent_fuid]" } } }
@@ -1430,6 +1430,8 @@ filter {
merge => { "[user_agent][original]" => "[zeek][sip][user_agent]" } } }
if ([zeek][smtp][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_smtp"
merge => { "[user_agent][original]" => "[zeek][smtp][user_agent]" } } }
+ if ([zeek][websocket][user_agent]) { mutate { id => "mutate_merge_ecs_useragent_websocket"
+ merge => { "[user_agent][original]" => "[zeek][websocket][user_agent]" } } }
# Hashes ############################################################################################################
# ECS - various -> related.hash (accumulate all hash/fingerprint fields into related.hash)
@@ -1470,6 +1472,9 @@ filter {
if ([zeek][smtp][helo]) { mutate { id => "mutate_merge_field_zeek_smtp_helo_related_hosts"
merge => { "[related][hosts]" => "[zeek][smtp][helo]" } } }
+ if ([zeek][websocket][host]) { mutate { id => "mutate_merge_field_zeek_websocket_related_hosts"
+ merge => { "[related][hosts]" => "[zeek][websocket][host]" } } }
+
# URLs/URIs #########################################################################################################
# ECS - various -> url.original
@@ -1499,6 +1504,9 @@ filter {
if ([zeek][sip][uri]) { mutate { id => "mutate_merge_field_zeek_sip_uri_url_original"
merge => { "[url][original]" => "[zeek][sip][uri]" } } }
+ if ([zeek][websocket][uri]) { mutate { id => "mutate_merge_field_zeek_websocket_uri_url_original"
+ merge => { "[url][original]" => "[zeek][websocket][uri]" } } }
+
if ([zeek][x509][san_uri]) { mutate { id => "mutate_merge_field_zeek_x509_san_uri_url_original"
merge => { "[url][original]" => "[zeek][x509][san_uri]" } } }
diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/1400_zeek_convert.conf
similarity index 100%
rename from logstash/pipelines/zeek/14_zeek_convert.conf
rename to logstash/pipelines/zeek/1400_zeek_convert.conf
diff --git a/logstash/pipelines/zeek/19_severity.conf b/logstash/pipelines/zeek/1900_severity.conf
similarity index 100%
rename from logstash/pipelines/zeek/19_severity.conf
rename to logstash/pipelines/zeek/1900_severity.conf
diff --git a/logstash/pipelines/zeek/99_zeek_forward.conf b/logstash/pipelines/zeek/9900_zeek_forward.conf
similarity index 100%
rename from logstash/pipelines/zeek/99_zeek_forward.conf
rename to logstash/pipelines/zeek/9900_zeek_forward.conf
diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh
index 35df19c66..a44e98176 100755
--- a/logstash/scripts/logstash-start.sh
+++ b/logstash/scripts/logstash-start.sh
@@ -10,7 +10,7 @@ HOST_PIPELINES_DIR="/usr/share/logstash/malcolm-pipelines.available"
# runtime pipelines parent directory
export PIPELINES_DIR="/usr/share/logstash/malcolm-pipelines"
-# runtime pipeliens configuration file
+# runtime pipelines configuration file
export PIPELINES_CFG="/usr/share/logstash/config/pipelines.yml"
# for each pipeline in /usr/share/logstash/malcolm-pipelines, append the contents of this file to the dynamically-generated
@@ -123,6 +123,11 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O
find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_PRIMARY_DATASTORE_TYPE_/${OPENSEARCH_PRIMARY_TYPE}/g" "{}" \; 2>/dev/null
find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_SECONDARY_DATASTORE_TYPE_/${OPENSEARCH_SECONDARY_TYPE}/g" "{}" \; 2>/dev/null
+# make sure that the delimiter for zeek TSV parsing is set correctly in that pipeline (i.e., spaces to tabs)
+if [[ -d "$PIPELINES_DIR"/zeek ]]; then
+ sed -i -E 's/(split\s*=>\s*\{\s*"\[message\]"\s*=>\s*"\s*)\s+("\s*\})/\1\t\2/g' "$PIPELINES_DIR"/zeek/*.conf
+ sed -i -E 's/\s\s*(%\{\[zeek_cols\]\[)/\t\1/g' "$PIPELINES_DIR"/zeek/*.conf
+fi
# import trusted CA certificates if necessary
/usr/local/bin/jdk-cacerts-auto-import.sh || true
diff --git a/shared/bin/manuf-oui-parse.py b/logstash/scripts/manuf-oui-parse.py
similarity index 100%
rename from shared/bin/manuf-oui-parse.py
rename to logstash/scripts/manuf-oui-parse.py
diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
index 55f54c4a6..3ed2d1a30 100755
--- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
+++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot
@@ -167,7 +167,7 @@ systemctl disable htpdate || true
sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate
sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate
-# remove identifying operating system information from /etc/issue
+# remove identifying operating system information from /etc/issue*
truncate -s 0 /etc/motd
sed -i "s/Debian/Hedgehog/g" /etc/issue
sed -i "s/Debian/Hedgehog/g" /etc/issue.net
diff --git a/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules b/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
index bdc53a2fd..5dcaaab91 100644
--- a/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
+++ b/malcolm-iso/config/includes.chroot/etc/audit/rules.d/audit.rules
@@ -34,10 +34,14 @@
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
+-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/ufw/ -F perm=wa -k ufw_config_file_chg
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
+-a always,exit -F path=/sbin/iptables-restore -F perm=x -k iptables_restore_exec
+-a always,exit -F path=/sbin/ip6tables-restore -F perm=x -k iptables_restore_exec
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@@ -78,6 +82,7 @@
-a always,exit -F path=/usr/bin/wget -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write.ul -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
@@ -87,6 +92,7 @@
-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/faillock -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
@@ -126,6 +132,9 @@
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
+-w /usr/sbin/netfilter-persistent -p x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
+-w /usr/sbin/nft -p x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use
+-w /usr/share/netfilter-persistent/plugins.d/ -p wa -k nft_config_file_change
-w /var/log/btmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
@@ -138,24 +147,35 @@
# syscalls
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
+-a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
# Make the configuration immutable -- reboot is required to change audit rules
-e 2
diff --git a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config
index 84e31145f..d1ad39c03 100644
--- a/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config
+++ b/malcolm-iso/config/includes.chroot/etc/ssh/sshd_config
@@ -111,7 +111,7 @@ ClientAliveCountMax 0
#ChrootDirectory none
#VersionAddendum none
-Banner=/etc/issue
+Banner=/etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
diff --git a/shared/bin/agg-init.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/agg-init.sh
similarity index 100%
rename from shared/bin/agg-init.sh
rename to malcolm-iso/config/includes.chroot/usr/local/bin/agg-init.sh
diff --git a/shared/bin/docker-load-wait.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/docker-load-wait.sh
similarity index 100%
rename from shared/bin/docker-load-wait.sh
rename to malcolm-iso/config/includes.chroot/usr/local/bin/docker-load-wait.sh
diff --git a/shared/bin/malcolm-first-run-configure.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/malcolm-first-run-configure.sh
similarity index 100%
rename from shared/bin/malcolm-first-run-configure.sh
rename to malcolm-iso/config/includes.chroot/usr/local/bin/malcolm-first-run-configure.sh
diff --git a/shared/bin/set-malcolm-gtk-bookmark.sh b/malcolm-iso/config/includes.chroot/usr/local/bin/set-malcolm-gtk-bookmark.sh
similarity index 100%
rename from shared/bin/set-malcolm-gtk-bookmark.sh
rename to malcolm-iso/config/includes.chroot/usr/local/bin/set-malcolm-gtk-bookmark.sh
diff --git a/malcolm-iso/config/package-lists/system.list.chroot b/malcolm-iso/config/package-lists/system.list.chroot
index 6c5dc7e4f..68f74ef94 100644
--- a/malcolm-iso/config/package-lists/system.list.chroot
+++ b/malcolm-iso/config/package-lists/system.list.chroot
@@ -129,7 +129,6 @@ rar
rename
rtkit
samba-libs
-screen
sed
sharutils
shed
diff --git a/scripts/build.sh b/scripts/build.sh
index 050128dbc..6a9473d79 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -127,37 +127,39 @@ else
$DOCKER_COMPOSE_COMMAND --progress=plain build --build-arg TARGETPLATFORM="$TARGET_PLATFORM" --build-arg GITHUB_TOKEN="$GITHUB_API_TOKEN" --build-arg MAXMIND_GEOIP_DB_LICENSE_KEY="$MAXMIND_API_KEY" --build-arg MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL="${MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg ZEEK_DEB_ALTERNATE_DOWNLOAD_URL="${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-}" --build-arg BUILD_DATE="$BUILD_DATE" --build-arg MALCOLM_VERSION="$MALCOLM_VERSION" --build-arg VCS_REVISION="$VCS_REVISION" "$@"
fi
-# we're going to do some validation that some things got pulled/built correctly
-FILES_IN_IMAGES=(
- "/usr/share/filebeat-logs/filebeat-logs.yml;filebeat-oss"
- "/var/www/upload/filepond/dist/filepond.js;file-upload"
- "/opt/freq_server/freq_server.py;freq"
- "/usr/local/bin/capa;file-monitor"
- "/var/www/htadmin/htadmin.php;htadmin"
- "/etc/ip_protocol_name_to_number.yaml;logstash"
- "/etc/vendor_macs.yaml;logstash"
- "/opt/arkime/etc/GeoLite2-ASN.mmdb;arkime"
- "/opt/arkime/etc/GeoLite2-Country.mmdb;arkime"
- "/opt/arkime/etc/ipv4-address-space.csv;arkime"
- "/opt/arkime/etc/oui.txt;arkime"
- "/opt/arkime/bin/capture;arkime"
- "/opt/netbox-devicetype-library-import/repo/schema/components.json;netbox"
- "/opt/zeek/bin/zeek;zeek"
- "/opt/zeek/bin/spicyz;zeek"
- "/usr/share/nginx/html/index.html;nginx-proxy"
-)
-for i in ${FILES_IN_IMAGES[@]}; do
- FILE="$(echo "$i" | cut -d';' -f1)"
- IMAGE="$(echo "$i" | cut -d';' -f2)"
- (( "$(filesize_in_image $IMAGE "$FILE")" > 0 )) || { echo "Failed to create \"$FILE\" in \"$IMAGE\""; exit 1; }
-done
-
-DIRS_IN_IMAGES=(
- "/var/lib/clamav;file-monitor;200000000"
-)
-for i in ${DIRS_IN_IMAGES[@]}; do
- DIR="$(echo "$i" | cut -d';' -f1)"
- IMAGE="$(echo "$i" | cut -d';' -f2)"
- MINSIZE="$(echo "$i" | cut -d';' -f3)"
- (( "$(dirsize_in_image $IMAGE "$DIR")" > $MINSIZE )) || { echo "Failed to create \"$DIR\" in \"$IMAGE\""; exit 1; }
-done
+if (( $# == 0 )); then
+ # if we built *all* the images, we're going to do some validation that some things got pulled/built correctly
+ FILES_IN_IMAGES=(
+ "/usr/share/filebeat-logs/filebeat-logs.yml;filebeat-oss"
+ "/var/www/upload/filepond/dist/filepond.js;file-upload"
+ "/opt/freq_server/freq_server.py;freq"
+ "/usr/local/bin/capa;file-monitor"
+ "/var/www/htadmin/htadmin.php;htadmin"
+ "/etc/ip_protocol_name_to_number.yaml;logstash"
+ "/etc/vendor_macs.yaml;logstash"
+ "/opt/arkime/etc/GeoLite2-ASN.mmdb;arkime"
+ "/opt/arkime/etc/GeoLite2-Country.mmdb;arkime"
+ "/opt/arkime/etc/ipv4-address-space.csv;arkime"
+ "/opt/arkime/etc/oui.txt;arkime"
+ "/opt/arkime/bin/capture;arkime"
+ "/opt/netbox-devicetype-library-import/repo/schema/components.json;netbox"
+ "/opt/zeek/bin/zeek;zeek"
+ "/opt/zeek/bin/spicyz;zeek"
+ "/usr/share/nginx/html/index.html;nginx-proxy"
+ )
+ for i in ${FILES_IN_IMAGES[@]}; do
+ FILE="$(echo "$i" | cut -d';' -f1)"
+ IMAGE="$(echo "$i" | cut -d';' -f2)"
+ (( "$(filesize_in_image $IMAGE "$FILE")" > 0 )) || { echo "Failed to create \"$FILE\" in \"$IMAGE\""; exit 1; }
+ done
+
+ DIRS_IN_IMAGES=(
+ "/var/lib/clamav;file-monitor;200000000"
+ )
+ for i in ${DIRS_IN_IMAGES[@]}; do
+ DIR="$(echo "$i" | cut -d';' -f1)"
+ IMAGE="$(echo "$i" | cut -d';' -f2)"
+ MINSIZE="$(echo "$i" | cut -d';' -f3)"
+ (( "$(dirsize_in_image $IMAGE "$DIR")" > $MINSIZE )) || { echo "Failed to create \"$DIR\" in \"$IMAGE\""; exit 1; }
+ done
+fi
\ No newline at end of file
diff --git a/scripts/demo/Vagrantfile b/scripts/demo/Vagrantfile
index d90236f7d..9dd26c933 100644
--- a/scripts/demo/Vagrantfile
+++ b/scripts/demo/Vagrantfile
@@ -1,29 +1,25 @@
# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
-class VagrantPlugins::ProviderVirtualBox::Action::Network
- def dhcp_server_matches_config?(dhcp_server, config)
- true
- end
-end
-
Vagrant.configure("2") do |config|
- config.vm.box = "bento/amazonlinux-2"
+ config.vm.box = "bento/amazonlinux-2023"
config.vm.synced_folder '.', '/vagrant', disabled: false
config.vm.network "private_network", type: "dhcp"
config.vm.network "forwarded_port", protocol: "tcp", guest: 443, host: 8443, host_ip: "0.0.0.0"
- if Vagrant.has_plugin?("vagrant-vbguest")
- config.vbguest.auto_update = false
- end
+ # uncomment the section for the provider you're using
- config.vm.provider "virtualbox" do |vb|
- vb.cpus = 8
- vb.memory = 24576
- config.vm.disk :disk, size: "150G"
- end
+ # if Vagrant.has_plugin?("vagrant-vbguest")
+ # config.vbguest.auto_update = false
+ # end
+
+ # config.vm.provider "virtualbox" do |vb|
+ # vb.cpus = 8
+ # vb.memory = 24576
+ # config.vm.disk :disk, size: "150GB", name: "vbextra"
+ # end
config.vm.provider "libvirt" do |libvirt|
libvirt.cpus = 8
@@ -40,21 +36,20 @@ Vagrant.configure("2") do |config|
libvirt.channel :type => 'spicevmc', :target_name => 'com.redhat.spice.0', :target_type => 'virtio'
libvirt.channel :type => 'unix', :target_name => 'org.qemu.guest_agent.0', :target_type => 'virtio'
libvirt.random :model => 'random'
- libvirt.storage :file, :size => '150G'
+ libvirt.storage :file, :size => '150GB'
end
+ # config.vm.provider "vmware_desktop" do |vd|
+ # vd.cpus = 8
+ # vd.memory = 24576
+ # config.vm.disk :disk, size: "150GB", name: "vdextra"
+ # end
- config.vm.provider "vmware_desktop" do |vd|
- vd.cpus = 8
- vd.memory = 24576
- config.vm.disk :disk, size: "150G"
- end
-
- config.vm.provider "vmware_fusion" do |vf|
- vf.cpus = 8
- vf.memory = 24576
- config.vm.disk :disk, size: "150G"
- end
+ # config.vm.provider "vmware_fusion" do |vf|
+ # vf.cpus = 8
+ # vf.memory = 24576
+ # config.vm.disk :disk, size: "150GB", name: "vfextra"
+ # end
config.vm.provision "shell", privileged: true, inline: <<-STEP0
yum install -y btrfs-progs
@@ -78,20 +73,15 @@ Vagrant.configure("2") do |config|
rmdir /home.old
fi
cd /tmp
- ( uname -r | grep -q "^4" ) && amazon-linux-extras install -y kernel-5.10
STEP0
config.vm.provision :reload
- config.vm.provision "shell", privileged: true, inline: <<-STEP1
- package-cleanup -y --oldkernels --count=1
- STEP1
-
config.vm.provision "shell", privileged: false, inline: <<-STEP2
mkdir -p ~/.local/bin ~/.config
- curl -sSL -o ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh https://raw.githubusercontent.com/cisagov/Malcolm/main/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
- chmod 755 ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh
+ curl -sSL -o ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh https://raw.githubusercontent.com/cisagov/Malcolm/main/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh
+ chmod 755 ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh
- MALCOLM_SETUP_NONINTERACTIVE=1 ~/.local/bin/amazon_linux_2_malcolm_demo_setup.sh
+ MALCOLM_SETUP_NONINTERACTIVE=1 ~/.local/bin/amazon_linux_2023_malcolm_demo_setup.sh
STEP2
config.vm.provision :reload
diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh
similarity index 72%
rename from scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
rename to scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh
index 33845d9e4..6e98312fd 100755
--- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
+++ b/scripts/demo/amazon_linux_2023_malcolm_demo_setup.sh
@@ -3,12 +3,12 @@
# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
###################################################################################
-# for setting up a Malcolm demo instance on an Amazon Linux 2 instance from scratch
+# for setting up a Malcolm demo instance on an Amazon Linux 2023 instance from scratch
#
-# so far I have had the best luck on c4.4xlarge (16 CPU, 30 GB RAM) and
-# t3a.2xlarge (8 CPU, 32 GB RAM)
+# I've used:
+# - for x86-64 instances `c4.4xlarge`, `t2.2xlarge`, and `t3a.2xlarge`
+# - for arm64 instances `m6gd.2xlarge`, `m6g.2xlarge`, `m7g.2xlarge`, and `t4g.2xlarge`
#
-
###################################################################################
# initialize
@@ -17,8 +17,8 @@ if [[ -z "$BASH_VERSION" ]]; then
exit 1
fi
-if ! type amazon-linux-extras >/dev/null 2>&1; then
- echo "This command only targets Amazon Linux 2" >&2
+if [[ "$(awk -F= '$1=="PLATFORM_ID" { print $2 ;}' /etc/os-release | tr -d '"')" != "platform:al2023" ]]; then
+ echo "This command only targets Amazon Linux 2023" >&2
exit 1
fi
@@ -39,6 +39,14 @@ else
SUDO_CMD="sudo"
fi
+$SUDO_CMD mkdir -p /etc/sudoers.d/
+echo 'Defaults umask = 0022' | ($SUDO_CMD su -c 'EDITOR="tee" visudo -f /etc/sudoers.d/99-default-umask')
+echo 'Defaults umask_override' | ($SUDO_CMD su -c 'EDITOR="tee -a" visudo -f /etc/sudoers.d/99-default-umask')
+$SUDO_CMD chmod 440 /etc/sudoers.d/99-default-umask
+umask 0022
+
+LINUX_CPU=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+
# default user paths
LOCAL_DATA_PATH=${XDG_DATA_HOME:-$HOME/.local/share}
LOCAL_BIN_PATH=$HOME/.local/bin
@@ -51,10 +59,16 @@ MALCOLM_SETUP_NONINTERACTIVE=${MALCOLM_SETUP_NONINTERACTIVE:-0}
# variables for env development environments and tools
ENV_LIST=(
age
+ bat
+ direnv
+ eza
fd
+ fzf
jq
- yq
+ peco
ripgrep
+ viddy
+ yq
)
###################################################################################
@@ -99,7 +113,7 @@ function InstallEssentialPackages {
else
echo "Installing curl, git, and jq..." >&2
$SUDO_CMD yum update -y >/dev/null 2>&1 && \
- $SUDO_CMD yum install -y curl git jq
+ $SUDO_CMD yum install -y curl-minimal git jq
fi
}
@@ -198,8 +212,10 @@ function InstallEnvPackages {
if python3 -m pip -V >/dev/null 2>&1; then
python3 -m pip install --user -U \
dateparser \
+ kubernetes \
mmguero \
- requests
+ python-dotenv \
+ pythondialog
fi
fi
@@ -207,7 +223,7 @@ function InstallEnvPackages {
}
################################################################################
-# InstallDocker - install Docker and enable it as a service, and install docker-compose
+# InstallDocker - install Docker and enable it as a service, and install docker compose
function InstallDocker {
# install docker-ce, if needed
@@ -218,7 +234,7 @@ function InstallDocker {
InstallEssentialPackages
$SUDO_CMD yum update -y >/dev/null 2>&1 && \
- $SUDO_CMD amazon-linux-extras install -y docker
+ $SUDO_CMD yum install -y docker
$SUDO_CMD systemctl enable docker
$SUDO_CMD systemctl start docker
@@ -253,42 +269,26 @@ function InstallDocker {
}
################################################################################
-# InstallCommonPackages - install yum and amazon-linux-extras packages, and build
-# the non-GUI version of wireshark from source (for editcap/capinfos/tshark)
+# InstallCommonPackages - install packages from yum
function InstallCommonPackages {
CONFIRMATION=$(_GetConfirmation "Install common packages [Y/n]?" Y)
if [[ $CONFIRMATION =~ ^[Yy] ]]; then
$SUDO_CMD yum update -y >/dev/null 2>&1
- $SUDO_CMD yum groupinstall -y 'Development Tools'
-
- PACKAGE_LIST=(
- python3.8
- )
- # install the packages from amazon-linux-extras
- for i in ${PACKAGE_LIST[@]}; do
- $SUDO_CMD amazon-linux-extras install -y "$i"
- done
- $SUDO_CMD ln -s -r -f /usr/bin/python3.8 /usr/bin/python3
- $SUDO_CMD ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3
PACKAGE_LIST=(
- c-ares-devel
- flex
- gcc
- gcc-c++
- glib2-devel
+ cronie
+ dialog
httpd-tools
- libgcrypt-devel
- libpcap-devel
- lua-devel
- make
- ninja-build
openssl
- openssl-devel
+ python3-pip
+ python3-requests+security
+ python3-ruamel-yaml
+ python3-setuptools
+ python3-wheel
tmux
- zlib-devel
+ wireshark-cli
xz
)
# install the packages from yum
@@ -296,68 +296,28 @@ function InstallCommonPackages {
$SUDO_CMD yum install -y "$i"
done
- # wireshark (for capinfos/editcap) in repo is FLIPPIN' old, why?
- # guess we'll have to build from source
- if ! type tshark >/dev/null 2>&1; then
- export SOURCE_DIR="$(mktemp -d)"
- pushd "$SOURCE_DIR" >/dev/null 2>&1
-
- # cmake
- if ! type cmake >/dev/null 2>&1; then
- CMAKE_VERSION=3.26.4
- curl -sSL -O -J "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}.tar.gz"
- tar xvf cmake-"${CMAKE_VERSION}".tar.gz
- pushd cmake-"${CMAKE_VERSION}" >/dev/null 2>&1
- ./bootstrap --prefix=/usr
- make
- $SUDO_CMD make install
- popd >/dev/null 2>&1
- fi
-
- # wireshark
- WIRESHARK_VERSION=3.6.14
- curl -sSL -O -J "https://2.na.dl.wireshark.org/src/wireshark-${WIRESHARK_VERSION}.tar.xz"
- tar xvf wireshark-"${WIRESHARK_VERSION}".tar.xz
- pushd wireshark-"${WIRESHARK_VERSION}" >/dev/null 2>&1
- mkdir -p build
- pushd "build" >/dev/null 2>&1
- cmake -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_wireshark=OFF -G Ninja ..
- ninja-build
- $SUDO_CMD ninja-build install
- popd >/dev/null 2>&1
- popd >/dev/null 2>&1
-
- popd >/dev/null 2>&1
- rm -rf "$SOURCE_DIR"
- fi
-
fi # install common packages confirmation
}
################################################################################
# _InstallCroc - schollz/croc: easily and securely send things from one computer to another
function _InstallCroc {
- mkdir -p "$LOCAL_BIN_PATH" "$LOCAL_DATA_PATH"/bash-completion/completions
-
- CROC_RELEASE="$(_GitLatestRelease schollz/croc | sed 's/^v//')"
- TMP_CLONE_DIR="$(mktemp -d)"
- curl -L "https://github.com/schollz/croc/releases/download/v${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz" | tar xvzf - -C "${TMP_CLONE_DIR}"
- cp -f "${TMP_CLONE_DIR}"/croc "$LOCAL_BIN_PATH"/croc
- cp -f "${TMP_CLONE_DIR}"/bash_autocomplete "$LOCAL_DATA_PATH"/bash-completion/completions/croc.bash
- chmod 755 "$LOCAL_BIN_PATH"/croc
- rm -rf "$TMP_CLONE_DIR"
-}
-
-################################################################################
-# _InstallBat - sharkdp/bat: a cat(1) clone with wings
-function _InstallBat {
mkdir -p "$LOCAL_BIN_PATH"
- BAT_RELEASE="$(_GitLatestRelease sharkdp/bat)"
+ CROC_RELEASE="$(_GitLatestRelease schollz/croc)"
TMP_CLONE_DIR="$(mktemp -d)"
- curl -L "https://github.com/sharkdp/bat/releases/download/${BAT_RELEASE}/bat-${BAT_RELEASE}-x86_64-unknown-linux-musl.tar.gz" | tar xvzf - -C "${TMP_CLONE_DIR}" --strip-components 1
- cp -f "${TMP_CLONE_DIR}"/bat "$LOCAL_BIN_PATH"/bat
- chmod 755 "$LOCAL_BIN_PATH"/bat
+ if [[ "$LINUX_CPU" == "arm64" ]]; then
+ CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-ARM64.tar.gz"
+ elif [[ "$LINUX_CPU" == "amd64" ]]; then
+ CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz"
+ else
+ CROC_URL=
+ fi
+ if [[ -n "$CROC_URL" ]]; then
+ curl -sSL "$CROC_URL" | tar xvzf - -C "${TMP_CLONE_DIR}"
+ cp -f "${TMP_CLONE_DIR}"/croc "$LOCAL_BIN_PATH"/croc
+ chmod 755 "$LOCAL_BIN_PATH"/croc
+ fi
rm -rf "$TMP_CLONE_DIR"
}
@@ -367,27 +327,19 @@ function _InstallBoringProxy {
mkdir -p "$LOCAL_BIN_PATH"
BORING_RELEASE="$(_GitLatestRelease boringproxy/boringproxy)"
- curl -L -o "${LOCAL_BIN_PATH}"/boringproxy.new "https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64"
- chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new
- [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && rm -f "$LOCAL_BIN_PATH"/boringproxy
- mv "$LOCAL_BIN_PATH"/boringproxy.new "$LOCAL_BIN_PATH"/boringproxy
-}
-
-################################################################################
-# _InstallNgrok - inconshreveable/ngrok: secure introspectable tunnels to localhost
-function _InstallNgrok {
- mkdir -p "$LOCAL_BIN_PATH"
-
- TMP_CLONE_DIR="$(mktemp -d)"
- curl -L -o "${TMP_CLONE_DIR}"/ngrok.zip -L "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
- pushd "$TMP_CLONE_DIR" >/dev/null 2>&1
- unzip ./ngrok.zip
- mv ./ngrok "$LOCAL_BIN_PATH"/ngrok.new
- chmod 755 "$LOCAL_BIN_PATH"/ngrok.new
- [[ -f "$LOCAL_BIN_PATH"/ngrok ]] && rm -f "$LOCAL_BIN_PATH"/ngrok
- mv "$LOCAL_BIN_PATH"/ngrok.new "$LOCAL_BIN_PATH"/ngrok
- popd >/dev/null 2>&1
- rm -rf "$TMP_CLONE_DIR"
+ if [[ "$LINUX_CPU" == "arm64" ]]; then
+ BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-arm64"
+ elif [[ "$LINUX_CPU" == "amd64" ]]; then
+ BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64"
+ else
+ BORING_URL=
+ fi
+ if [[ -n "$BORING_URL" ]]; then
+ curl -sSL -o "${LOCAL_BIN_PATH}"/boringproxy.new "$BORING_URL"
+ chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new
+ [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && rm -f "$LOCAL_BIN_PATH"/boringproxy
+ mv "$LOCAL_BIN_PATH"/boringproxy.new "$LOCAL_BIN_PATH"/boringproxy
+ fi
}
################################################################################
@@ -396,8 +348,6 @@ function InstallUserLocalBinaries {
CONFIRMATION=$(_GetConfirmation "Install user-local binaries/packages [Y/n]?" Y)
if [[ $CONFIRMATION =~ ^[Yy] ]]; then
[[ ! -f "${LOCAL_BIN_PATH}"/croc ]] && _InstallCroc
- [[ ! -f "${LOCAL_BIN_PATH}"/bat ]] && _InstallBat
- [[ ! -f "${LOCAL_BIN_PATH}"/ngrok ]] && _InstallNgrok
[[ ! -f "${LOCAL_BIN_PATH}"/boringproxy ]] && _InstallBoringProxy
fi
}
@@ -413,8 +363,7 @@ function CreateCommonLinuxConfig {
mkdir -p "$HOME/tmp" \
"$HOME/devel" \
- "$LOCAL_BIN_PATH" \
- "$LOCAL_DATA_PATH"/bash-completion/completions
+ "$LOCAL_BIN_PATH"
[[ ! -f ~/.vimrc ]] && echo "set nocompatible" > ~/.vimrc
@@ -438,7 +387,7 @@ function SystemConfig {
kernel.dmesg_restrict=0
# the maximum number of open file handles
-fs.file-max=65536
+fs.file-max=518144
# the maximum number of user inotify watches
fs.inotify.max_user_watches=131072
@@ -470,6 +419,10 @@ EOT
* hard nofile 65535
* soft memlock unlimited
* hard memlock unlimited
+* soft nproc 262144
+* hard nproc 524288
+* soft core 0
+* hard core 0
EOT
fi # limits.conf confirmation
fi # limits.conf check
@@ -477,7 +430,7 @@ EOT
if [[ -f /etc/default/grub ]] && ! grep -q cgroup /etc/default/grub; then
CONFIRMATION=$(_GetConfirmation "Tweak kernel parameters in grub (cgroup, etc.) [Y/n]?" Y)
if [[ $CONFIRMATION =~ ^[Yy] ]]; then
- $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& random.trust_cpu=on cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem/' /etc/default/grub
+ $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& systemd.unified_cgroup_hierarchy=1 cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem random.trust_cpu=on preempt=voluntary/' /etc/default/grub
$SUDO_CMD grub2-mkconfig -o /boot/grub2/grub.cfg
fi # grub confirmation
fi # grub check
@@ -515,9 +468,6 @@ function SGroverDotfiles {
[[ -r "$SGROVER_GITHUB_PATH"/git/gitignore_global ]] && rm -vf ~/.gitignore_global && \
ln -vrs "$SGROVER_GITHUB_PATH"/git/gitignore_global ~/.gitignore_global
- [[ -r "$SGROVER_GITHUB_PATH"/git/git_clone_all.sh ]] && rm -vf "$LOCAL_BIN_PATH"/git_clone_all.sh && \
- ln -vrs "$SGROVER_GITHUB_PATH"/git/git_clone_all.sh "$LOCAL_BIN_PATH"/git_clone_all.sh
-
[[ -r "$SGROVER_GITHUB_PATH"/linux/tmux/tmux.conf ]] && rm -vf ~/.tmux.conf && \
ln -vrs "$SGROVER_GITHUB_PATH"/linux/tmux/tmux.conf ~/.tmux.conf
@@ -545,46 +495,41 @@ function InstallMalcolm {
if [[ $CONFIRMATION =~ ^[Yy] ]]; then
if _GitClone https://github.com/cisagov/Malcolm "$MALCOLM_PATH"; then
pushd "$MALCOLM_PATH" >/dev/null 2>&1
- python3 ./scripts/install.py -c -d
- CONFIG_PAIRS=(
- "CAPA_MAX_REQUESTS:2"
- "CLAMD_MAX_REQUESTS:4"
- "EXTRACTED_FILE_ENABLE_CAPA:'true'"
- "EXTRACTED_FILE_ENABLE_CLAMAV:'true'"
- "EXTRACTED_FILE_ENABLE_YARA:'true'"
- "EXTRACTED_FILE_HTTP_SERVER_ENABLE:'true'"
- "EXTRACTED_FILE_IGNORE_EXISTING:'true'"
- "EXTRACTED_FILE_PRESERVATION:'all'"
- "FREQ_LOOKUP:'true'"
- "LOGSTASH_OUI_LOOKUP:'true'"
- "LOGSTASH_REVERSE_DNS:'true'"
- "LOGSTASH_SEVERITY_SCORING:'true'"
- "PCAP_PIPELINE_IGNORE_PREEXISTING:'true'"
- "PCAP_PIPELINE_POLLING:'true'"
- "YARA_MAX_REQUESTS:4"
- "ZEEK_AUTO_ANALYZE_PCAP_FILES:'true'"
- "ZEEK_DISABLE_BEST_GUESS_ICS:''"
- "ZEEK_EXTRACTOR_MODE:'all'"
- # "NGINX_BASIC_AUTH:'no_authentication'"
- )
- for i in ${CONFIG_PAIRS[@]}; do
- KEY="$(echo "$i" | cut -d':' -f1)"
- VALUE="$(echo "$i" | cut -d':' -f2)"
- for CONFIG in docker-compose-dev.yml docker-compose.yml; do
- sed -i "s/\(^[[:space:]]*$KEY[[:space:]]*:[[:space:]]*\).*/\1$VALUE/g" "$CONFIG"
- done
- done
- mkdir -p ./config
- touch ./config/auth.env
+ python3 ./scripts/configure \
+ --defaults \
+ --runtime docker \
+ --malcolm-profile \
+ --restart-malcolm \
+ --auto-arkime \
+ --auto-suricata \
+ --auto-zeek \
+ --zeek-ics \
+ --zeek-ics-best-guess \
+ --auto-oui \
+ --auto-freq \
+ --file-extraction notcommtxt \
+ --file-preservation quarantined \
+ --extracted-file-server \
+ --extracted-file-server-password infected \
+ --extracted-file-server-zip \
+ --extracted-file-capa \
+ --extracted-file-clamav \
+ --extracted-file-yara \
+ --netbox \
+ --netbox-enrich \
+ --netbox-autopopulate \
+ --netbox-auto-prefixes \
+ --netbox-site-name "$(hostname -s)"
+
grep image: docker-compose.yml | awk '{print $2}' | sort -u | xargs -l -r $SUDO_CMD docker pull
echo "Please run $MALCOLM_PATH/scripts/auth_setup to complete configuration" >&2
popd >/dev/null 2>&1
fi
pushd "$LOCAL_BIN_PATH" >/dev/null 2>&1
- curl -sSL -J -O https://raw.githubusercontent.com/cisagov/Malcolm/main/scripts/demo/reset_and_auto_populate.sh
+ ln -f -s -r "$MALCOLM_PATH"/scripts/demo/reset_and_auto_populate.sh ./reset_and_auto_populate.sh
curl -sSL -J -O https://raw.githubusercontent.com/mmguero-dev/Malcolm-PCAP/main/tools/pcap_time_shift.py
- chmod 755 reset_and_auto_populate.sh pcap_time_shift.py
+ chmod 755 pcap_time_shift.py
popd >/dev/null 2>&1
CONFIRMATION=$(_GetConfirmation "Set up crontab for starting/resetting Malcolm? [y/N]?" N)
@@ -624,22 +569,6 @@ function SetupConnectivity {
fi
fi
- # ngrok
- if ! ( crontab -l | grep -q ngrok ); then
- CONFIRMATION=$(_GetConfirmation "Configure ngrok [y/N]?" N)
- if [[ $CONFIRMATION =~ ^[Yy] ]]; then
- [[ ! -f "${LOCAL_BIN_PATH}"/ngrok ]] && _InstallNgrok
- TOKEN=$(_GetString "ngrok token:" "")
- if [[ -n "$TOKEN" ]]; then
- "${LOCAL_BIN_PATH}"/ngrok authtoken "$TOKEN"
- ((echo 'SHELL=/bin/bash') ; \
- (( crontab -l | grep . | grep -v ^SHELL= ; \
- echo "@reboot sleep 180 && ( nohup ${LOCAL_BIN_PATH}/ngrok http https://localhost >/dev/null 2>&1 /dev/null 2>&1 /dev/null 2>&1 ',
+ )
+ parser.add_argument(
+ '--verbose',
+ '-v',
+ action='count',
+ default=1,
+ help='Increase verbosity (e.g., -v, -vv, etc.)',
+ )
+ parser.add_argument(
+ '-t',
+ '--token',
+ dest='githubToken',
+ help=f'GitHub API token',
+ metavar='',
+ type=str,
+ default=os.getenv('GITHUB_TOKEN', os.getenv('GITHUB_OAUTH_TOKEN', '')),
+ )
+ parser.add_argument(
+ '--token-file',
+ dest='githubTokenFile',
+ help=f'GitHub API token (read from filename)',
+ metavar='',
+ type=str,
+ default=os.getenv('GITHUB_TOKEN_FILE', os.getenv('GITHUB_OAUTH_TOKEN_FILE', '')),
+ )
+ parser.add_argument(
+ '-r',
+ '--repo',
+ dest='repos',
+ nargs='*',
+ type=str,
+ default=[],
+ help="One or more GitHub repository/repositories (e.g., org/repo)",
+ )
+ parser.add_argument(
+ '--date-from',
+ dest='dateFromStr',
+ metavar='',
+ type=str,
+ default='Jan 1 1970',
+ help="Human readable date expression for beginning of search time frame (default: Jan 1 1970)",
+ )
+ parser.add_argument(
+ '--date-to',
+ dest='dateToStr',
+ metavar='',
+ type=str,
+ default='now',
+ help="Human readable date expression for ending of search time frame (default: now)",
+ )
+ parser.add_argument(
+ '--release',
+ dest='releaseRegexes',
+ nargs='*',
+ type=str,
+ default=[],
+ help="List of regular expressions against which to match releases (e.g., ^v24\\.10)",
+ )
+ parser.add_argument(
+ '-a',
+ '--asset',
+ dest='assetRegexes',
+ nargs='*',
+ type=str,
+ default=[],
+ help="List of regular expressions against which to match release assets (e.g., ^\\w+.+\\.iso\\.01$, ^foobar_.*\\.tar\\.gz$",
+ )
+ parser.add_argument(
+ '-i',
+ '--image',
+ dest='imageRegexes',
+ nargs='*',
+ type=str,
+ default=[],
+ help="List of regular expressions against which to match container images (e.g., ^foobar/barbaz$)",
+ )
+ parser.add_argument(
+ '--image-tag',
+ dest='imageTagRegexes',
+ nargs='*',
+ type=str,
+ default=[],
+ help="List of regular expressions against which to match container image tags (e.g., ^24\\.10)",
+ )
+ try:
+ parser.error = parser.exit
+ args = parser.parse_args()
+ except SystemExit:
+ parser.print_help()
+ sys.exit(2)
+
+ # if the GitHub token was not obtained from environment variable or as an argument,
+ # see if it can be loaded from a file
+ if (not args.githubToken) and os.path.isfile(args.githubTokenFile):
+ with open(args.githubTokenFile) as f:
+ args.githubToken = f.readline().strip()
+
+ args.verbose = logging.CRITICAL - (10 * args.verbose) if args.verbose > 0 else 0
+ logging.basicConfig(
+ level=args.verbose, format='%(asctime)s %(levelname)s: %(message)s', datefmt='%Y-%m-%d %H:%M:%S'
+ )
+ logging.info(os.path.join(script_path, script_name))
+ logging.info("Arguments: {}".format(sys.argv[1:]))
+ logging.info("Arguments: {}".format(args))
+ if args.verbose > logging.DEBUG:
+ sys.tracebacklimit = 0
+
+ # resolve the start and end times for searching
+ dateFrom = ParseDate(args.dateFromStr)
+ dateTo = ParseDate(args.dateToStr)
+ localZone = get_localzone()
+ if dateFrom.tzinfo is None:
+ dateFrom = dateFrom.replace(tzinfo=localZone)
+ if dateTo.tzinfo is None:
+ dateTo = dateTo.replace(tzinfo=localZone)
+ logging.info(f'Searching {dateFrom} to {dateTo}')
+
+ # objects to hold our final results
+ finalResults = {}
+ imagePulls = defaultdict(lambda: 0)
+ assetDownloads = defaultdict(lambda: 0)
+ packages = []
+
+ # compile the regular expressions used for matching asset download counts
+ assetRegexes = {}
+ for reStr in args.assetRegexes:
+ assetRegexes[reStr] = re.compile(reStr)
+ releaseRegexes = {}
+ for reStr in args.releaseRegexes:
+ releaseRegexes[reStr] = re.compile(reStr)
+ imageRegexes = {}
+ for reStr in args.imageRegexes:
+ imageRegexes[reStr] = re.compile(reStr)
+ imageTagRegexes = {}
+ for reStr in args.imageTagRegexes:
+ imageTagRegexes[reStr] = re.compile(reStr)
+
+ # log in to GitHub given the token provided
+ gh = github.login(token=args.githubToken)
+ logging.info(gh)
+
+ # unfortunately not all of the APIs we need are covered by github3 ಠ_ಥ
+ # so we have to do some manual API pulling with requests, and even (gasp)
+ # some web scraping with bs4
+ ghSession = requests.Session()
+ ghSession.headers = {
+ 'Accept': 'application/vnd.github.v3+json',
+ 'Authorization': f'token {args.githubToken}',
+ 'X-GitHub-Api-Version': '2022-11-28',
+ }
+ ghHTMLSession = requests.Session()
+
+ # loop over the repos provided
+ orgsPolledForImages = set()
+ for repoSpec in args.repos:
+ repoParts = repoSpec.split('/')
+ if len(repoParts) == 2:
+ if repo := gh.repository(repoParts[0], repoParts[1]):
+
+ # loop over the releases for this repo, examining those in the search time frame
+ if assetRegexes:
+ for release in repo.releases():
+ if dateFrom <= release.published_at <= dateTo and (
+ (
+ (not releaseRegexes)
+ or any([v.match(release.tag_name) for k, v in releaseRegexes.items()])
+ )
+ ):
+ logging.debug(f'{repo.full_name} {release.tag_name} at {release.published_at}')
+ # aggregate download counts for assets matching the regular expressions provided
+ for asset in release.assets():
+ for reStr, reObj in assetRegexes.items():
+ if reObj.match(asset.name):
+ assetDownloads[f"{repoParts[0]}/{reStr}"] = (
+ assetDownloads[f"{repoParts[0]}/{reStr}"] + asset.download_count
+ )
+
+ if imageRegexes and (repoParts[0] not in orgsPolledForImages):
+ # make requests to list container images in the ghcr.io repository for this organization
+ page = 0
+ orgsPolledForImages.add(repoParts[0])
+ while True:
+ try:
+ page = page + 1
+ params = {
+ 'package_type': 'container',
+ 'page': page,
+ 'per_page': GITHUB_API_REQUESTS_PER_PAGE,
+ }
+ pkgsResponse = ghSession.get(
+ f'https://api.github.com/orgs/{repoParts[0]}/packages',
+ params=params,
+ allow_redirects=True,
+ )
+ pkgsResponse.raise_for_status()
+ if (packagesJson := mmguero.LoadStrIfJson(pkgsResponse.content)) and isinstance(
+ packagesJson, list
+ ):
+ packages.extend(
+ [x for x in packagesJson if any([v.match(x['name']) for k, v in imageRegexes.items()])]
+ )
+ if len(packagesJson) < GITHUB_API_REQUESTS_PER_PAGE:
+ break
+ else:
+ break
+ except Exception as e:
+ logging.error(f"Listing packages: {e}")
+ break
+
+ # for the packages we accumulated earlier, put together a list of matching image tags
+ for packageInfo in packages:
+ versions = []
+ page = 0
+ while True:
+ try:
+ page = page + 1
+ params = {
+ 'page': page,
+ 'per_page': GITHUB_API_REQUESTS_PER_PAGE,
+ }
+ versionsResponse = ghSession.get(
+ f"https://api.github.com/orgs/{mmguero.DeepGet(packageInfo, ['owner', 'login'])}/packages/container/{mmguero.AggressiveUrlEncode(packageInfo['name'])}/versions",
+ params=params,
+ allow_redirects=True,
+ )
+ versionsResponse.raise_for_status()
+ if (versionsJson := mmguero.LoadStrIfJson(versionsResponse.content)) and isinstance(versionsJson, list):
+ # only consider versions where the tag creation date is in our search time frame, and
+ # the tag name(s) match the regex filter (if specified)
+ versions.extend(
+ [
+ x
+ for x in versionsJson
+ if (dateFrom <= ParseDate(x.get('created_at')) <= dateTo)
+ and (
+ (
+ (not imageTagRegexes)
+ or any(
+ [
+ v.match(t)
+ for t in mmguero.DeepGet(x, ['metadata', 'container', 'tags'])
+ for k, v in imageTagRegexes.items()
+ ]
+ )
+ )
+ )
+ ]
+ )
+ if len(versionsJson) < GITHUB_API_REQUESTS_PER_PAGE:
+ break
+ else:
+ break
+ except Exception as e:
+ # give up
+ logging.error(f"Listing package versions: {e}")
+ break
+
+ # the GitHub packages API apparently doesn't surface pull counts, so we've got to do some scraping to get that number
+ for version in versions:
+ try:
+ if 'html_url' in version:
+ tmpResponse = ghHTMLSession.get(
+ version['html_url'],
+ allow_redirects=True,
+ )
+ tmpResponse.raise_for_status()
+ soup = BeautifulSoup(tmpResponse.text, 'html.parser')
+ # look for the "Total downloads" , then get the contents of its next sibling
+ if totalDownloadsLabel := soup.find('span', string="Total downloads"):
+ if tags := mmguero.DeepGet(version, ['metadata', 'container', 'tags']):
+ tagsStr = f':{"(" if len(tags) > 1 else ""}{"|".join(tags)}{")" if len(tags) > 1 else ""}'
+ else:
+ tagsStr = '@' + version['name']
+ if pullCount := int(totalDownloadsLabel.find_next('span').text.replace(",", "")):
+ imagePulls[
+ f"{mmguero.DeepGet(packageInfo, ['owner', 'login'])}/{packageInfo['name']}{tagsStr}"
+ ] = int(pullCount)
+ except Exception as e:
+ logging.error(f"Parsing HTML page for package: {e}")
+
+ # put things together for the final output
+ if assetDownloads:
+ finalResults['release_assets'] = assetDownloads
+ if imagePulls:
+ finalResults['image_pulls'] = imagePulls
+
+ # add a total to each sub-dictionary
+ for key, subDict in finalResults.items():
+ subDict["total"] = sum(subDict.values())
+
+ print(json.dumps(finalResults))
+
+ return 0
+
+
+###################################################################################################
+if __name__ == '__main__':
+ if main() > 0:
+ sys.exit(0)
+ else:
+ sys.exit(1)
diff --git a/scripts/github-download-counts/requirements.txt b/scripts/github-download-counts/requirements.txt
new file mode 100644
index 000000000..c593b6fdf
--- /dev/null
+++ b/scripts/github-download-counts/requirements.txt
@@ -0,0 +1,4 @@
+beautifulsoup4
+dateparser
+github3.py
+mmguero
\ No newline at end of file
diff --git a/scripts/github_image_helper.sh b/scripts/github_image_helper.sh
index 248121e30..28d58e94c 100755
--- a/scripts/github_image_helper.sh
+++ b/scripts/github_image_helper.sh
@@ -163,8 +163,8 @@ function ExtractISOsFromGithubWorkflowBuilds() {
# extract the malcolm ISO wrapped in the ghcr.io docker image to a temp directory,
# then extract and load the docker images tarball from the ISO.
function ExtractAndLoadImagesFromGithubWorkflowBuildISO() {
- if ! type xorriso >/dev/null 2>&1 || ! type unsquashfs >/dev/null 2>&1; then
- echo "Cannot extract ISO file without xorriso" >&2
+ if ! type xorriso >/dev/null 2>&1 || ! type unsquashfs >/dev/null 2>&1 || ! type unxz >/dev/null 2>&1; then
+ echo "Cannot extract ISO file without xorriso, unsquashfs, and unxz" >&2
else
mkdir -p "$WORKDIR"
_ExtractISOFromGithubWorkflowBuild malcolm "$WORKDIR" malcolm
@@ -174,7 +174,7 @@ function ExtractAndLoadImagesFromGithubWorkflowBuildISO() {
if [[ -e filesystem.squashfs ]]; then
unsquashfs filesystem.squashfs -f malcolm_images.tar.xz
if [[ -e squashfs-root/malcolm_images.tar.xz ]]; then
- $MALCOLM_CONTAINER_RUNTIME load -i squashfs-root/malcolm_images.tar.xz
+ unxz < squashfs-root/malcolm_images.tar.xz | $MALCOLM_CONTAINER_RUNTIME load
else
echo "Failed to images tarball" 2>&1
fi
diff --git a/shared/bin/ics-oui-parse.py b/scripts/ics-oui-parse.py
similarity index 100%
rename from shared/bin/ics-oui-parse.py
rename to scripts/ics-oui-parse.py
diff --git a/scripts/install.py b/scripts/install.py
index eb0a714e0..52879e881 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -48,6 +48,7 @@
DotEnvDynamic,
DownloadToFile,
DumpYaml,
+ GetPlatformOSRelease,
HOMEBREW_INSTALL_URLS,
KubernetesDynamic,
LoadYaml,
@@ -4613,13 +4614,16 @@ def main():
# installer = WindowsInstaller(orchMode, debug=args.debug, configOnly=args.configOnly)
if orchMode == OrchestrationFramework.DOCKER_COMPOSE:
- runtimeOptions = ('docker', 'podman')
- loopBreaker = CountUntilException(MaxAskForValueCount)
- while (args.runtimeBin not in runtimeOptions) and loopBreaker.increment():
- args.runtimeBin = InstallerChooseOne(
- 'Select container runtime engine',
- choices=[(x, '', x == runtimeOptions[0]) for x in runtimeOptions],
- )
+ if GetPlatformOSRelease() == 'hedgehog-malcolm':
+ args.runtimeBin = 'docker'
+ else:
+ runtimeOptions = ('docker', 'podman')
+ loopBreaker = CountUntilException(MaxAskForValueCount)
+ while (args.runtimeBin not in runtimeOptions) and loopBreaker.increment():
+ args.runtimeBin = InstallerChooseOne(
+ 'Select container runtime engine',
+ choices=[(x, '', x == runtimeOptions[0]) for x in runtimeOptions],
+ )
if args.debug:
eprint(f"Container engine: {args.runtimeBin}")
diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index eb9d734ef..52127daf9 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -156,6 +156,14 @@ class OrchestrationFramework(Flag):
OrchestrationFrameworksSupported = OrchestrationFramework.DOCKER_COMPOSE | OrchestrationFramework.KUBERNETES
+##################################################################################################
+def GetPlatformOSRelease():
+ try:
+ return platform.freedesktop_os_release().get('VARIANT_ID', None)
+ except Exception:
+ return None
+
+
##################################################################################################
def LocalPathForContainerBindMount(service, dockerComposeContents, containerPath, localBasePath=None):
localPath = None
diff --git a/scripts/third-party-environments/aws/ami/packer_build.json b/scripts/third-party-environments/aws/ami/packer_build.json
index 2d8f2c0d8..39047f548 100644
--- a/scripts/third-party-environments/aws/ami/packer_build.json
+++ b/scripts/third-party-environments/aws/ami/packer_build.json
@@ -39,7 +39,7 @@
"filters": {
"architecture": "{{user `instance_arch`}}",
"virtualization-type": "hvm",
- "name": "amzn2-ami-kernel-5.10-hvm-*-{{user `instance_arch`}}-gp2",
+ "name": "al2023-ami-ecs-hvm-*-kernel-6.1-{{user `instance_arch`}}",
"root-device-type": "ebs"
},
"owners": [
@@ -56,7 +56,7 @@
{
"device_name": "/dev/xvda",
"volume_type": "gp2",
- "volume_size": 20,
+ "volume_size": 30,
"delete_on_termination": true
}
],
diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example
index ea5f709a6..07995e129 100644
--- a/scripts/third-party-environments/aws/ami/packer_vars.json.example
+++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example
@@ -3,7 +3,7 @@
"aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"instance_type": "t2.micro",
"instance_arch": "x86_64",
- "malcolm_tag": "v24.10.0",
+ "malcolm_tag": "v24.10.1",
"malcolm_repo": "cisagov/Malcolm",
"malcolm_uid": "1000",
"ssh_username": "ec2-user",
diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
index 082eb7c20..be4a046e7 100755
--- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
+++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh
@@ -2,7 +2,7 @@
# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
-# Configure Amazon Linux 2 and install Malcolm
+# Configure Amazon Linux 2023 and install Malcolm
###############################################################################
# script options
@@ -18,9 +18,9 @@ if [[ -z "$BASH_VERSION" ]]; then
exit 1
fi
-if ! command -v amazon-linux-extras >/dev/null 2>&1; then
- echo "This script only targets Amazon Linux 2" >&2
- exit 1
+if [[ "$(awk -F= '$1=="PLATFORM_ID" { print $2 ;}' /etc/os-release | tr -d '"')" != "platform:al2023" ]]; then
+ echo "This command only targets Amazon Linux 2023" >&2
+ exit 1
fi
###############################################################################
@@ -32,7 +32,7 @@ fi
# -u UID (user UID, e.g., 1000)
VERBOSE_FLAG=
MALCOLM_REPO=${MALCOLM_REPO:-cisagov/Malcolm}
-MALCOLM_TAG=${MALCOLM_TAG:-v24.10.0}
+MALCOLM_TAG=${MALCOLM_TAG:-v24.10.1}
[[ -z "$MALCOLM_UID" ]] && ( [[ $EUID -eq 0 ]] && MALCOLM_UID=1000 || MALCOLM_UID="$(id -u)" )
while getopts 'vr:t:u:' OPTION; do
case "$OPTION" in
@@ -66,10 +66,18 @@ if [[ $EUID -eq 0 ]]; then
else
SUDO_CMD="sudo"
fi
+
+$SUDO_CMD mkdir -p /etc/sudoers.d/
+echo 'Defaults umask = 0022' | ($SUDO_CMD su -c 'EDITOR="tee" visudo -f /etc/sudoers.d/99-default-umask')
+echo 'Defaults umask_override' | ($SUDO_CMD su -c 'EDITOR="tee -a" visudo -f /etc/sudoers.d/99-default-umask')
+$SUDO_CMD chmod 440 /etc/sudoers.d/99-default-umask
+umask 0022
+
MALCOLM_USER="$(id -nu $MALCOLM_UID)"
MALCOLM_USER_GROUP="$(id -gn $MALCOLM_UID)"
MALCOLM_USER_HOME="$(getent passwd "$MALCOLM_USER" | cut -d: -f6)"
MALCOLM_URL="https://codeload.github.com/$MALCOLM_REPO/tar.gz/$MALCOLM_TAG"
+LINUX_CPU=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
IMAGE_ARCH_SUFFIX="$(uname -m | sed 's/^x86_64$//' | sed 's/^arm64$/-arm64/' | sed 's/^aarch64$/-arm64/')"
###################################################################################
@@ -79,36 +87,36 @@ function InstallEssentialPackages {
# install the package(s) from yum
$SUDO_CMD yum install -y \
- curl \
+ cronie \
+ curl-minimal \
dialog \
+ git \
httpd-tools \
make \
openssl \
tmux \
xz
-
}
################################################################################
# InstallPythonPackages - install specific python packages
function InstallPythonPackages {
- echo "Installing Python 3.8 and pip packages..." >&2
+ echo "Installing Python 3 and pip packages..." >&2
[[ $EUID -eq 0 ]] && USERFLAG="" || USERFLAG="--user"
- # install the package(s) from amazon-linux-extras
- $SUDO_CMD amazon-linux-extras install -y \
- python3.8
-
- $SUDO_CMD ln -s -r -f /usr/bin/python3.8 /usr/bin/python3
- $SUDO_CMD ln -s -r -f /usr/bin/pip3.8 /usr/bin/pip3
-
- $SUDO_CMD /usr/bin/python3.8 -m pip install $USERFLAG -U \
+ $SUDO_CMD yum install -y \
+ python3-pip \
+ python3-setuptools \
+ python3-wheel \
+ python3-ruamel-yaml \
+ python3-requests+security
+
+ $SUDO_CMD /usr/bin/python3 -m pip install $USERFLAG -U \
+ dateparser \
+ kubernetes \
python-dotenv \
- pythondialog \
- ruamel.yaml \
- requests \
- urllib3==1.26.19
+ pythondialog
}
################################################################################
@@ -119,7 +127,8 @@ function InstallDocker {
# install docker, if needed
if ! command -v docker >/dev/null 2>&1 ; then
- $SUDO_CMD amazon-linux-extras install -y docker
+ $SUDO_CMD yum update -y >/dev/null 2>&1 && \
+ $SUDO_CMD yum install -y docker
$SUDO_CMD systemctl enable docker
$SUDO_CMD systemctl start docker
@@ -163,7 +172,7 @@ function SystemConfig {
kernel.dmesg_restrict=0
# the maximum number of open file handles
-fs.file-max=65536
+fs.file-max=518144
# the maximum number of user inotify watches
fs.inotify.max_user_watches=131072
@@ -200,11 +209,71 @@ EOT
fi # limits.conf check
if [[ -f /etc/default/grub ]] && ! grep -q cgroup /etc/default/grub; then
- $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& random.trust_cpu=on cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem/' /etc/default/grub
+ $SUDO_CMD sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="[^"]*/& systemd.unified_cgroup_hierarchy=1 cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem random.trust_cpu=on preempt=voluntary/' /etc/default/grub
$SUDO_CMD grub2-mkconfig -o /boot/grub2/grub.cfg
fi # grub check
}
+###################################################################################
+# _GitLatestRelease - query the latest version from a github project's releases
+function _GitLatestRelease {
+ if [[ -n "$1" ]]; then
+ (set -o pipefail && curl -sL -f "https://api.github.com/repos/$1/releases/latest" | jq '.tag_name' | sed -e 's/^"//' -e 's/"$//' ) || \
+ (set -o pipefail && curl -sL -f "https://api.github.com/repos/$1/releases" | jq '.[0].tag_name' | sed -e 's/^"//' -e 's/"$//' ) || \
+ echo unknown
+ else
+ echo "unknown">&2
+ fi
+}
+
+################################################################################
+# _InstallCroc - schollz/croc: easily and securely send things from one computer to another
+function _InstallCroc {
+ CROC_RELEASE="$(_GitLatestRelease schollz/croc)"
+ TMP_CLONE_DIR="$(mktemp -d)"
+ if [[ "$LINUX_CPU" == "arm64" ]]; then
+ CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-ARM64.tar.gz"
+ elif [[ "$LINUX_CPU" == "amd64" ]]; then
+ CROC_URL="https://github.com/schollz/croc/releases/download/${CROC_RELEASE}/croc_${CROC_RELEASE}_Linux-64bit.tar.gz"
+ else
+ CROC_URL=
+ fi
+ if [[ -n "$CROC_URL" ]]; then
+ curl -sSL "$CROC_URL" | tar xvzf - -C "${TMP_CLONE_DIR}"
+ $SUDO_CMD cp -f "${TMP_CLONE_DIR}"/croc /usr/bin/croc
+ $SUDO_CMD chmod 755 /usr/bin/croc
+ $SUDO_CMD chown root:root /usr/bin/croc
+ fi
+ rm -rf "$TMP_CLONE_DIR"
+}
+
+################################################################################
+# _InstallBoringProxy - boringproxy/boringproxy: a reverse proxy and tunnel manager
+function _InstallBoringProxy {
+ BORING_RELEASE="$(_GitLatestRelease boringproxy/boringproxy)"
+ if [[ "$LINUX_CPU" == "arm64" ]]; then
+ BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-arm64"
+ elif [[ "$LINUX_CPU" == "amd64" ]]; then
+ BORING_URL="https://github.com/boringproxy/boringproxy/releases/download/${BORING_RELEASE}/boringproxy-linux-x86_64"
+ else
+ BORING_URL=
+ fi
+ if [[ -n "$BORING_URL" ]]; then
+ curl -sSL -o "${LOCAL_BIN_PATH}"/boringproxy.new "$BORING_URL"
+ chmod 755 "${LOCAL_BIN_PATH}"/boringproxy.new
+ [[ -f "$LOCAL_BIN_PATH"/boringproxy ]] && $SuDO_CMD rm -f /usr/bin/boringproxy
+ $SUDO_CMD mv "$LOCAL_BIN_PATH"/boringproxy.new /usr/bin/boringproxy
+ $SUDO_CMD chown root:root /usr/bin/boringproxy
+ fi
+}
+
+################################################################################
+# InstallUserLocalBinaries - install various tools to LOCAL_BIN_PATH
+function InstallUserLocalBinaries {
+ [[ ! -f /usr/bin/croc ]] && _InstallCroc
+ [[ ! -f /usr/bin/boringproxy ]] && _InstallBoringProxy
+}
+
################################################################################
# InstallMalcolm - clone and configure Malcolm and grab some sample PCAP
function InstallMalcolm {
@@ -268,7 +337,7 @@ EOT
fi
EOF
- chown -R $MALCOLM_USER:$MALCOLM_USER_GROUP "$MALCOLM_USER_HOME"
+ $SUDO_CMD chown -R $MALCOLM_USER:$MALCOLM_USER_GROUP "$MALCOLM_USER_HOME"
}
################################################################################
@@ -276,6 +345,7 @@ EOF
SystemConfig
InstallEssentialPackages
+InstallUserLocalBinaries
InstallPythonPackages
InstallDocker
InstallMalcolm
diff --git a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
index 229af538e..25d5ac511 100644
--- a/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
+++ b/scripts/third-party-environments/virter/malcolm-setup-01-external-tools.toml
@@ -26,7 +26,7 @@ if "$HOME"/.local/bin/fetch --version >/dev/null 2>&1; then
"https://github.com/FiloSottile/age|^age-v.+-linux-amd64\.tar\.gz$|/tmp/age.tar.gz"
"https://github.com/neilotoole/sq|^sq-.+amd64-amd64\.tar\.gz$|/tmp/sq.tar.gz"
"https://github.com/peco/peco|^peco_linux_amd64\.tar\.gz$|/tmp/peco.tar.gz"
- "https://github.com/sachaos/viddy|^viddy_Linux_x86_64\.tar\.gz$|/tmp/viddy.tar.gz"
+ "https://github.com/sachaos/viddy|^viddy-.+-linux-x86_64\.tar\.gz$|/tmp/viddy.tar.gz"
"https://github.com/schollz/croc|^croc_.+_Linux-64bit\.tar\.gz$|/tmp/croc.tar.gz"
"https://github.com/schollz/hostyoself|^hostyoself_.+_Linux-64bit\.tar\.gz$|/tmp/hostyoself.tar.gz"
"https://github.com/smallstep/cli|^step_linux_.+_amd64\.tar\.gz$|/tmp/step.tar.gz"
diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py
index ccab83de0..d7029cb9c 100755
--- a/scripts/zeek_script_to_malcolm_boilerplate.py
+++ b/scripts/zeek_script_to_malcolm_boilerplate.py
@@ -10,13 +10,12 @@
# The scripts are parsed into their constitutent records and &log fields.
#
# Each record is then printed out in the formats used by Malcolm for parsing and defining Zeek logs:
-# - Logstash (https://cisagov.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/11_zeek_parse.conf
+# - Logstash (https://cisagov.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/1001_zeek_parse.conf
# - Arkime (https://cisagov.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./arkime/etc/config.ini
# - OpenSearch tndex templates (https://cisagov.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./dashboards/templates/composable/component/zeek*.json
#
-# For Logstash boilerplate, pay close attention to the comment in the logstash filter:
-# # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
-# If you are copy/pasting, ensure your editor doesn't lose the TAB characters.
+# The logstash/scripts/logstash-start.sh container startup script should automatically fix any issues
+# with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs)
#
import argparse
@@ -490,7 +489,6 @@ def main():
f' if ("_jsonparsesuccess" not in [tags]) {{',
f' dissect {{',
f' id => "dissect_zeek_{rName}"',
- f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP",
f' mapping => {{',
f' "[message]" => "{rFieldsDissect}"',
f' }}',
@@ -499,7 +497,6 @@ def main():
f' if ("_dissectfailure" in [tags]) {{',
f' mutate {{',
f' id => "mutate_split_zeek_{rName}"',
- f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP",
f' split => {{ "[message]" => "{ZEEK_DELIMITER_CHAR}" }}',
f' }}',
f' ruby {{',
diff --git a/shared/bin/capa-build.sh b/shared/bin/capa-build.sh
old mode 100644
new mode 100755
diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh
index 9031044a2..ef9c082c1 100755
--- a/shared/bin/common-init.sh
+++ b/shared/bin/common-init.sh
@@ -41,7 +41,9 @@ function CleanDefaultAccounts() {
[ ! -d /var/lib/usbmux ] && ((mkdir -p /var/lib/usbmux && chown usbmux:plugdev /var/lib/usbmux && chmod 700 /var/lib/usbmux) || true)
[ ! -d /var/lib/ntp ] && ((mkdir -p /var/lib/ntp && chown ntp:ntp /var/lib/ntp && chmod 700 /var/lib/ntp) || true)
((mkdir -p /var/lib/systemd-coredump && chown systemd-coredump:nogroup /var/lib/systemd-coredump && chmod 700 /var/lib/systemd-coredump && usermod -m -d /var/lib/systemd-coredump systemd-coredump) || true)
- chmod 600 "/etc/crontab" "/etc/group-" "/etc/gshadow-" "/etc/passwd-" "/etc/shadow-" >/dev/null 2>&1 || true
+ chmod 600 "/etc/crontab" >/dev/null 2>&1 || true
+ chmod 644 "/etc/passwd-" "/etc/group-" >/dev/null 2>&1 || true
+ chmod 640 "/etc/shadow-" "/etc/gshadow-" >/dev/null 2>&1 || true
chmod 700 "/etc/cron.hourly" "/etc/cron.daily" "/etc/cron.weekly" "/etc/cron.monthly" "/etc/cron.d" >/dev/null 2>&1 || true
}
diff --git a/shared/bin/keystore-bootstrap.sh b/shared/bin/keystore-bootstrap.sh
old mode 100644
new mode 100755
diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh
index fb79d34a8..c33d03e5b 100755
--- a/shared/bin/opensearch_status.sh
+++ b/shared/bin/opensearch_status.sh
@@ -102,21 +102,24 @@ if (( $WAIT_FOR_LOG_DATA == 1 )); then
echo "Waiting until $OPENSEARCH_PRIMARY has logs..." >&2
- # wait until at least one network traffic log index exists
+ # wait until at least one network traffic log index exists (get index count where docs.count > 0)
FOUND_INDEX=
while true; do
- if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN" 2>/dev/null | wc -l) > 0 )); then
- FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN"
- elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN" 2>/dev/null | wc -l) > 0 )); then
- FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN"
+ # use jq if it's available to parse the machine-readable index list as JSON, fall back to awk if it's not
+ if command -v jq >/dev/null 2>&1; then
+ if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN?format=json" 2>/dev/null | jq '[.[] | select(.["docs.count"] != "0")] | length' 2>/dev/null) > 0 )); then
+ FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN"
+ elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN?format=json" 2>/dev/null | jq '[.[] | select(.["docs.count"] != "0")] | length' 2>/dev/null) > 0 )); then
+ FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN"
+ fi
+ else
+ if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$MALCOLM_NETWORK_INDEX_PATTERN" 2>/dev/null | awk '$7 != "0"' | wc -l) > 0 )); then
+ FOUND_INDEX="$MALCOLM_NETWORK_INDEX_PATTERN"
+ elif [[ "$MALCOLM_NETWORK_INDEX_PATTERN" != "$ARKIME_NETWORK_INDEX_PATTERN" ]] && (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/$ARKIME_NETWORK_INDEX_PATTERN" 2>/dev/null | awk '$7 != "0"' | wc -l) > 0 )); then
+ FOUND_INDEX="$ARKIME_NETWORK_INDEX_PATTERN"
+ fi
fi
[[ -n "$FOUND_INDEX" ]] && break || sleep 5
done
- echo "Log indices exist." >&2
-
- # wait until at least one record with @timestamp exists
- until curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XPOST "$OPENSEARCH_URL/$FOUND_INDEX/_search" -d'{ "sort": { "@timestamp" : "desc" }, "size" : 1 }' >/dev/null 2>&1 ; do
- sleep 5
- done
echo "Logs exist." >&2
fi
\ No newline at end of file
diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh
index 3fe94bf3b..6795aaa86 100755
--- a/shared/bin/preseed_late_user_config.sh
+++ b/shared/bin/preseed_late_user_config.sh
@@ -204,8 +204,9 @@ db_get malcolm/dod_banner
if [ "$RET" = true ]; then
# login banner
- OLD_ISSUE="$(grep ^Debian /etc/issue | sed -r "s@[[:space:]]\\\.*@@g")"
- cat << 'EOF' > /etc/issue
+ for ISSUE_FILE in /etc/issue /etc/issue.net; do
+ OLD_ISSUE="$(grep ^Debian ${ISSUE_FILE} | sed -r "s@[[:space:]]\\\.*@@g")"
+ cat << 'EOF' > ${ISSUE_FILE}
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
@@ -215,8 +216,9 @@ By using this IS (which includes any device attached to this IS), you consent to
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
EOF
- /bin/echo -E "$OLD_ISSUE \n \l" >> /etc/issue
- echo >> /etc/issue
+ /bin/echo -E "$OLD_ISSUE \n \l" >> ${ISSUE_FILE}
+ echo >> ${ISSUE_FILE}
+ done
else
rm -f /usr/local/bin/dod-login-banner.sh
diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py
index 2ab20dadd..8eeb9b69f 100755
--- a/shared/bin/zeek_carve_logger.py
+++ b/shared/bin/zeek_carve_logger.py
@@ -155,7 +155,7 @@ def main():
broSigLogSpec = args.broSigLogSpec
if broSigLogSpec is not None:
if os.path.isdir(broSigLogSpec):
- # _carved tag will be recognized by 12_zeek_mutate.conf in logstash
+ # _carved tag will be recognized by 1200_zeek_mutate.conf in logstash
broSigLogSpec = os.path.join(broSigLogSpec, "signatures(_carved).log")
else:
# make sure path to write to zeek signatures log file exists before we start writing
@@ -265,9 +265,9 @@ def main():
note=ZEEK_SIGNATURE_NOTICE,
signature_id=scanResult[FILE_SCAN_RESULT_MESSAGE],
event_message=scanResult[FILE_SCAN_RESULT_DESCRIPTION],
- sub_message=fileSpecFields.fid
- if fileSpecFields.fid is not None
- else os.path.basename(fileName),
+ sub_message=(
+ fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileName)
+ ),
signature_count=scanResult[FILE_SCAN_RESULT_HITS],
host_count=scanResult[FILE_SCAN_RESULT_ENGINES],
)
@@ -321,7 +321,9 @@ def main():
else:
# delete the file
os.remove(fileName)
- logging.debug(f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})")
+ logging.debug(
+ f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})"
+ )
# graceful shutdown
logging.info(f"{scriptName}: shutting down...")
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 9907331fc..021a7b1a4 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -121,7 +121,7 @@ ZKG_GITHUB_URLS=(
"https://github.com/corelight/zeek-xor-exe-plugin|master"
"https://github.com/corelight/zerologon"
"https://github.com/cybera/zeek-sniffpass"
- "https://github.com/FoxIO-LLC/ja4"
+ "https://github.com/piercema/ja4"
"https://github.com/mmguero-dev/bzar"
"https://github.com/ncsa/bro-is-darknet"
"https://github.com/ncsa/bro-simple-scan"
diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
index 2c977f4be..c931e592c 100755
--- a/shared/bin/zeekdeploy.sh
+++ b/shared/bin/zeekdeploy.sh
@@ -301,7 +301,7 @@ for IFACE in ${CAPTURE_INTERFACE//,/ }; do
type=worker
host=localhost
interface=$IFACE
-env_vars=ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH
+env_vars=ZEEK_CAPTURE_INTERFACE=$IFACE,ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH
EOF
# if af_packet is available in the kernel, write it out as well
if [ $AF_PACKET_SUPPORT -gt 0 ] && [ $WORKER_LB_PROCS -gt 0 ]; then
diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
index e3aea8183..a2fef6e6c 100644
--- a/zeek/config/local.zeek
+++ b/zeek/config/local.zeek
@@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r
global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT"));
global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F;
@@ -282,6 +283,7 @@ event zeek_init() &priority=-5 {
redef LDAP::default_capture_password = T;
@endif
+redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count;
redef HTTP::log_client_header_names = T;
redef HTTP::log_server_header_names = T;
redef LDAP::default_log_search_attributes = F;