From 2f5a02200d9e30b0ac75d5b6412b4b9a878b1332 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 15 Jan 2025 15:43:28 -0700 Subject: [PATCH] WIP omron fins integration, cisagov/Malcolm#554 --- arkime/etc/config.ini | 14 +- .../c899f8b0-d36b-11ef-b619-17836b3bbf47.json | 248 ++++++++++++++++-- .../composable/component/zeek_ot.json | 14 +- .../pipelines/zeek/1300_zeek_normalize.conf | 10 +- 4 files changed, 251 insertions(+), 35 deletions(-) diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index f23f56cf6..a1e62b213 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -1538,7 +1538,7 @@ zeek.omron_fins_detail.beginning_word=db:zeek.omron_fins_detail.beginning_word;g zeek.omron_fins_detail.number_of_words=db:zeek.omron_fins_detail.number_of_words;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:number_of_words;help:number_of_words zeek.omron_fins_detail.last_word_bit=db:zeek.omron_fins_detail.last_word_bit;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:last_word_bit;help:last_word_bit zeek.omron_fins_detail.data=db:zeek.omron_fins_detail.data;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:data;help:data -zeek.omron_fins_detail.date=db:zeek.omron_fins_detail.date;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:date;help:date +zeek.omron_fins_detail.date=db:zeek.omron_fins_detail.date;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:date;help:date zeek.omron_fins_detail.clock_time=db:zeek.omron_fins_detail.clock_time;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:clock_time;help:clock_time zeek.omron_fins_detail.intelligent_id_no=db:zeek.omron_fins_detail.intelligent_id_no;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:intelligent_id_no;help:intelligent_id_no zeek.omron_fins_detail.first_word=db:zeek.omron_fins_detail.first_word;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:first_word;help:first_word @@ -1666,12 +1666,12 @@ zeek.omron_fins.source_unit_address=db:zeek.omron_fins.source_unit_address;group zeek.omron_fins.service_id=db:zeek.omron_fins.service_id;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:service_id;help:service_id zeek.omron_fins.command_code=db:zeek.omron_fins.command_code;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:command_code;help:command_code zeek.omron_fins.response_code=db:zeek.omron_fins.response_code;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:response_code;help:response_code -zeek.omron_fins.minute=db:zeek.omron_fins.minute;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:minute;help:minute -zeek.omron_fins.second=db:zeek.omron_fins.second;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:second;help:second -zeek.omron_fins.day=db:zeek.omron_fins.day;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:day;help:day -zeek.omron_fins.hour=db:zeek.omron_fins.hour;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:hour;help:hour -zeek.omron_fins.year=db:zeek.omron_fins.year;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:year;help:year -zeek.omron_fins.month=db:zeek.omron_fins.month;group:zeek_omron_fins;kind:integer;viewerOnly:true;friendly:month;help:month +zeek.omron_fins.minute=db:zeek.omron_fins.minute;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:minute;help:minute +zeek.omron_fins.second=db:zeek.omron_fins.second;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:second;help:second +zeek.omron_fins.day=db:zeek.omron_fins.day;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:day;help:day +zeek.omron_fins.hour=db:zeek.omron_fins.hour;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:hour;help:hour +zeek.omron_fins.year=db:zeek.omron_fins.year;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:year;help:year +zeek.omron_fins.month=db:zeek.omron_fins.month;group:zeek_omron_fins;kind:termfield;viewerOnly:true;friendly:month;help:month # omron_fins_network_status_read.log diff --git a/dashboards/dashboards/c899f8b0-d36b-11ef-b619-17836b3bbf47.json b/dashboards/dashboards/c899f8b0-d36b-11ef-b619-17836b3bbf47.json index 17a5a96de..f88b33573 100644 --- a/dashboards/dashboards/c899f8b0-d36b-11ef-b619-17836b3bbf47.json +++ b/dashboards/dashboards/c899f8b0-d36b-11ef-b619-17836b3bbf47.json @@ -8,7 +8,7 @@ "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}" }, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "panelsJSON": "[{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":31,\"i\":\"93a55ef0-2531-4e0f-b541-007b15675877\"},\"panelIndex\":\"93a55ef0-2531-4e0f-b541-007b15675877\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":31,\"i\":\"1feca6e6-3466-4ff7-bcbf-267e3e78df54\"},\"panelIndex\":\"1feca6e6-3466-4ff7-bcbf-267e3e78df54\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"cfb1f39f-52c9-4e69-938a-8ea3a7d98449\"},\"panelIndex\":\"cfb1f39f-52c9-4e69-938a-8ea3a7d98449\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":16,\"y\":14,\"w\":10,\"h\":17,\"i\":\"438627ba-9c90-4820-a50d-afe9a7bb2d6d\"},\"panelIndex\":\"438627ba-9c90-4820-a50d-afe9a7bb2d6d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":26,\"y\":14,\"w\":11,\"h\":17,\"i\":\"4924e5a6-8301-4eb0-897a-fe4f434a423a\"},\"panelIndex\":\"4924e5a6-8301-4eb0-897a-fe4f434a423a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":31,\"w\":48,\"h\":29,\"i\":\"d8e534f2-e1e2-4a4d-a5a9-d086db6116af\"},\"panelIndex\":\"d8e534f2-e1e2-4a4d-a5a9-d086db6116af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"}]", + "panelsJSON": "[{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":33,\"i\":\"93a55ef0-2531-4e0f-b541-007b15675877\"},\"panelIndex\":\"93a55ef0-2531-4e0f-b541-007b15675877\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":10,\"h\":33,\"i\":\"1feca6e6-3466-4ff7-bcbf-267e3e78df54\"},\"panelIndex\":\"1feca6e6-3466-4ff7-bcbf-267e3e78df54\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":14,\"i\":\"cfb1f39f-52c9-4e69-938a-8ea3a7d98449\"},\"panelIndex\":\"cfb1f39f-52c9-4e69-938a-8ea3a7d98449\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":18,\"y\":14,\"w\":30,\"h\":19,\"i\":\"8af980bf-56dd-4d6e-b7bf-8edf0d2fb319\"},\"panelIndex\":\"8af980bf-56dd-4d6e-b7bf-8edf0d2fb319\",\"embeddableConfig\":{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}},\"panelRefName\":\"panel_3\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":33,\"w\":9,\"h\":19,\"i\":\"438627ba-9c90-4820-a50d-afe9a7bb2d6d\"},\"panelIndex\":\"438627ba-9c90-4820-a50d-afe9a7bb2d6d\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":9,\"y\":33,\"w\":10,\"h\":19,\"i\":\"4924e5a6-8301-4eb0-897a-fe4f434a423a\"},\"panelIndex\":\"4924e5a6-8301-4eb0-897a-fe4f434a423a\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":19,\"y\":33,\"w\":17,\"h\":19,\"i\":\"f470af29-165f-405f-b7d7-645daa139a33\"},\"panelIndex\":\"f470af29-165f-405f-b7d7-645daa139a33\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":36,\"y\":33,\"w\":12,\"h\":19,\"i\":\"a98fe06a-c49c-47ee-a696-555df58f7fbb\"},\"panelIndex\":\"a98fe06a-c49c-47ee-a696-555df58f7fbb\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":52,\"w\":13,\"h\":19,\"i\":\"daf32d2d-164d-418a-b1f1-1f329ce71ff0\"},\"panelIndex\":\"daf32d2d-164d-418a-b1f1-1f329ce71ff0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":13,\"y\":52,\"w\":16,\"h\":19,\"i\":\"140856ec-a808-4b4d-b576-083f94388bf5\"},\"panelIndex\":\"140856ec-a808-4b4d-b576-083f94388bf5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":29,\"y\":52,\"w\":19,\"h\":19,\"i\":\"15fb5c1b-0f41-42fc-9bb5-06402e78e215\"},\"panelIndex\":\"15fb5c1b-0f41-42fc-9bb5-06402e78e215\",\"embeddableConfig\":{},\"panelRefName\":\"panel_10\"},{\"version\":\"2.18.0\",\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":29,\"i\":\"d8e534f2-e1e2-4a4d-a5a9-d086db6116af\"},\"panelIndex\":\"d8e534f2-e1e2-4a4d-a5a9-d086db6116af\",\"embeddableConfig\":{},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "Omron FINS", "version": 1 @@ -37,24 +37,54 @@ "type": "visualization" }, { - "id": "9dcfba60-d36c-11ef-b619-17836b3bbf47", + "id": "801920a0-d38b-11ef-8ae2-0dd19e7f01ed", "name": "panel_3", "type": "visualization" }, { - "id": "d44dec60-d36c-11ef-b619-17836b3bbf47", + "id": "9dcfba60-d36c-11ef-b619-17836b3bbf47", "name": "panel_4", "type": "visualization" }, { - "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "id": "d44dec60-d36c-11ef-b619-17836b3bbf47", "name": "panel_5", + "type": "visualization" + }, + { + "id": "5a1a7eb0-d38d-11ef-8ae2-0dd19e7f01ed", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "685f7d80-d38e-11ef-8ae2-0dd19e7f01ed", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "5c20abc0-d389-11ef-b66a-3bee4dc3b330", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "d4ac0ef0-d38d-11ef-8ae2-0dd19e7f01ed", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "27315d80-d391-11ef-8ae2-0dd19e7f01ed", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "panel_11", "type": "search" } ], "type": "dashboard", - "updated_at": "2025-01-15T18:17:04.667Z", - "version": "WzEwODgsMV0=" + "updated_at": "2025-01-15T22:37:50.583Z", + "version": "WzEwOTQsMV0=" }, { "attributes": { @@ -76,8 +106,8 @@ ], "references": [], "type": "visualization", - "updated_at": "2025-01-15T17:59:42.815Z", - "version": "WzEwNjIsMV0=" + "updated_at": "2025-01-15T21:49:43.578Z", + "version": "WzEwNzAsMV0=" }, { "attributes": { @@ -106,8 +136,8 @@ } ], "type": "visualization", - "updated_at": "2025-01-15T18:12:13.594Z", - "version": "WzEwODQsMV0=" + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc2NiwxXQ==" }, { "attributes": { @@ -136,8 +166,38 @@ } ], "type": "visualization", - "updated_at": "2025-01-15T18:13:56.577Z", - "version": "WzEwODUsMV0=" + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc2NywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Action and Result", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Action and Result\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}" + }, + "id": "801920a0-d38b-11ef-8ae2-0dd19e7f01ed", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T21:55:57.482Z", + "version": "WzEwODEsMV0=" }, { "attributes": { @@ -166,8 +226,8 @@ } ], "type": "visualization", - "updated_at": "2025-01-15T18:14:52.934Z", - "version": "WzEwODYsMV0=" + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc2OSwxXQ==" }, { "attributes": { @@ -196,16 +256,166 @@ } ], "type": "visualization", - "updated_at": "2025-01-15T18:16:24.358Z", - "version": "WzEwODcsMV0=" + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc3MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Controller Model and Version", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":2,\"direction\":\"desc\"}}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Controller Model and Version\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins_detail.controller_model\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Controller Model\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins_detail.controller_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Controller Version\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}" + }, + "id": "5a1a7eb0-d38d-11ef-8ae2-0dd19e7f01ed", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T22:09:12.731Z", + "version": "WzEwODMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Files/Volumes", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Files/Volumes\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.path\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Volume Label\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}" + }, + "id": "685f7d80-d38e-11ef-8ae2-0dd19e7f01ed", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T22:23:30.148Z", + "version": "WzEwOTAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Transport Protocol", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Transport Protocol\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Transport Protocol\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}" + }, + "id": "5c20abc0-d389-11ef-b66a-3bee4dc3b330", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc2OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Data Type", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Data Type\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.icf_data_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}" + }, + "id": "d4ac0ef0-d38d-11ef-8ae2-0dd19e7f01ed", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T22:12:38.367Z", + "version": "WzEwODUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0", + "title": "Omron FINS - Address, Node, and Unit", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":6,\"direction\":\"desc\"}}}", + "version": 1, + "visState": "{\"title\":\"Omron FINS - Address, Node, and Unit\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.source_network_address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Src Net Addr\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.source_node_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Src Node Num\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.source_unit_address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Src Unit Addr\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.destination_network_address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dst Net Addr\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.destination_node_number\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dst Node Num\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.omron_fins.destination_unit_address\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dst Unit Addr\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}" + }, + "id": "27315d80-d391-11ef-8ae2-0dd19e7f01ed", + "migrationVersion": { + "visualization": "7.10.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "ddec0a50-d36b-11ef-b619-17836b3bbf47", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2025-01-15T22:36:25.304Z", + "version": "WzEwOTMsMV0=" }, { "attributes": { "columns": [ "event.dataset", + "network.transport", "source.ip", "destination.ip", - "zeek.omron_fins.icf_data_type", "event.action", "event.result", "zeek.omron_fins.link_id", @@ -235,8 +445,8 @@ } ], "type": "search", - "updated_at": "2025-01-15T18:09:30.997Z", - "version": "WzEwODMsMV0=" + "updated_at": "2025-01-15T21:49:15.240Z", + "version": "Wzc3MSwxXQ==" } ], "version": "2.18.0" diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index 3bac50e6a..4a54b755a 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -858,20 +858,20 @@ "zeek.modbus_read_write_multiple_registers.write_start_address": { "type": "integer" }, "zeek.omron_fins.client_node_address": { "type": "long" }, "zeek.omron_fins.command_code": { "type": "keyword" }, - "zeek.omron_fins.day": { "type": "long" }, + "zeek.omron_fins.day": { "type": "keyword" }, "zeek.omron_fins.destination_network_address": { "type": "keyword" }, "zeek.omron_fins.destination_node_number": { "type": "keyword" }, "zeek.omron_fins.destination_unit_address": { "type": "keyword" }, "zeek.omron_fins.gateway_count": { "type": "long" }, - "zeek.omron_fins.hour": { "type": "long" }, + "zeek.omron_fins.hour": { "type": "keyword" }, "zeek.omron_fins.icf_data_type": { "type": "keyword" }, "zeek.omron_fins.icf_gateway": { "type": "keyword" }, "zeek.omron_fins.icf_response_setting": { "type": "keyword" }, "zeek.omron_fins.link_id": { "type": "keyword" }, - "zeek.omron_fins.minute": { "type": "long" }, - "zeek.omron_fins.month": { "type": "long" }, + "zeek.omron_fins.minute": { "type": "keyword" }, + "zeek.omron_fins.month": { "type": "keyword" }, "zeek.omron_fins.response_code": { "type": "keyword" }, - "zeek.omron_fins.second": { "type": "long" }, + "zeek.omron_fins.second": { "type": "keyword" }, "zeek.omron_fins.server_node_address": { "type": "long" }, "zeek.omron_fins.service_id": { "type": "keyword" }, "zeek.omron_fins.source_network_address": { "type": "keyword" }, @@ -881,7 +881,7 @@ "zeek.omron_fins.tcp_error_code": { "type": "keyword" }, "zeek.omron_fins.tcp_header": { "type": "keyword" }, "zeek.omron_fins.tcp_length": { "type": "long" }, - "zeek.omron_fins.year": { "type": "long" }, + "zeek.omron_fins.year": { "type": "keyword" }, "zeek.omron_fins_data_link_status_read.data_links": { "type": "keyword" }, "zeek.omron_fins_data_link_status_read.error_status": { "type": "keyword" }, "zeek.omron_fins_data_link_status_read.master_node_number": { "type": "long" }, @@ -916,7 +916,7 @@ "zeek.omron_fins_detail.cycle_time_read_parameter": { "type": "keyword" }, "zeek.omron_fins_detail.data": { "type": "keyword" }, "zeek.omron_fins_detail.data_length": { "type": "keyword" }, - "zeek.omron_fins_detail.date": { "type": "long" }, + "zeek.omron_fins_detail.date": { "type": "date" }, "zeek.omron_fins_detail.error_message": { "type": "keyword" }, "zeek.omron_fins_detail.expansion_dm_size": { "type": "long" }, "zeek.omron_fins_detail.fal_fals_0": { "type": "keyword" }, diff --git a/logstash/pipelines/zeek/1300_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf index 99d4253b9..ba529dd71 100644 --- a/logstash/pipelines/zeek/1300_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -1522,11 +1522,17 @@ filter { if ([zeek][http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" merge => { "[file][path]" => "[zeek][http][resp_filenames]" } } } + if ([zeek][http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" + merge => { "[file][path]" => "[zeek][http][resp_filenames]" } } } + if ([zeek][s7comm_upload_download][filename]) { mutate { id => "mutate_merge_normalize_zeek_s7comm_upload_download_filename" merge => { "[file][path]" => "[zeek][s7comm_upload_download][filename]" } } } - if ([zeek][tftp][fname]) { mutate { id => "mutate_merge_normalize_zeek_tftp_fname" - merge => { "[file][path]" => "[zeek][tftp][fname]" } } } + if ([zeek][omron_fins_file][volume_label]) { mutate { id => "mutate_merge_normalize_zeek_omron_fins_file_volume_label" + merge => { "[file][path]" => "[zeek][omron_fins_file][volume_label]" } } } + + if ([zeek][omron_fins_file][file_name]) { mutate { id => "mutate_merge_normalize_zeek_omron_fins_file_file_name" + merge => { "[file][path]" => "[zeek][omron_fins_file][file_name]" } } } # as we already did a bunch of work parsing out smb.host, smb.share and smb.filename in 12_zeek_mutate.conf, use those here as well # this should cover smb_files, smb_cmd and smb_mapping