Last updated
Last updated
Datas have to be cleaned before ingestion, some fields are deleted for this purpose. These fields were specific to Splunk, duplicated, reproductible with Logstash if needed or not usefull.
Note that no lines containing data have been deleted. The line number of the BOTES dataset is therefore the same as that of the BOTS dataset.
This section contains lists referencing global fields deleted for all Datasets/Source types and specfic fields deleted for each Dataset/Sourcetype.
Each BOTS JSON data are nested in "result". First step is to bring data up to the first level, for more convinience. Data initially at the first level will not be kept because they are not useful :
or to modify all file in same time :
Second step is to list unique fields for each JSON file. The goal is to sort and then delete duplicated or useless fields, to finally establish a list of all unique fields and match them to an ECS field.
Sort unique fields by launching the following command for each JSON file :
Reminder : jq need to be installed for this and the following steps. Check page if it's not already done.
Result from commands on each JSON files are put in separate table to be sorted and cleaned on next step.
Some values can be found twice or three times in different original fields. In this case, fields created/derivated from Splunk parsing are deleted and fieldsname from the original logs are kept.
"dest" and dest_ip" fields contain the same value. The raw log indicate that the "dest_ip" is the true original field, so in this case "dest_ip" will be kept and "dest" deleted.
Some values are deleted because of bad parsing or because it's easier to set them directly at Logstash level (tags, vendor, etc.).
In this example, the field "cs_uri_query" is not correctly parsed because of "=" in the value and field "n990136" is created when it shouldn't be.
Tables clean-up actions :
Fields that are deleted are removed from table(s) created on the previous step.
Fields that are deleted are add in jq delete list (Lists are at the end of each Datasets table).
All kept fields are then matched with an ECS field and the corresponding type, fieldset, level and description.
If no ECS Fieldset can be used to match an original field, a new fieldset is created or a new field in an existing ECS fieldset, with the 'botes' prefix, is created.
For each JSON files, delete choosen fields with jq and lists established in previous step.
Rename "_time" and "_raw" fields to avoid issues during Logstash ingestion :
For fields with type "Long", remove quote on the JSON files or they will be interpreted as Strings by Elasticsearch.
Modifications specific to Data sourcetype are needed too.
fgt_event jq delete command :
fgt_traffic jq delete command :
fgt_utm jq delete command :
IIS jq delete command :
nessus:scan jq delete command :
stream:dhcp jq delete command :
stream:dns jq delete command :
stream:http jq delete command :
stream:icmp jq delete command :
stream:ip jq delete command :
stream:ldap jq delete command :
stream:mapi jq delete command :
stream:sip jq delete command :
stream:smb jq delete command :
stream:snmp jq delete command :
stream:tcp jq delete command :
suricata jq delete command :
wineventlog:application jq delete command :
wineventlog:security jq delete command :
wineventlog:system jq delete command :
winregistry jq delete command :
xmlwineventlog: Microsoft Windows Sysmon Operational jq delete command :
Refer to section for Excel and CSV files containing cleaned Datastes fields.
Reason
Field Name
_si
Splunk specific.
_cd
Splunk specific. (Event address in index)
_bkt
Splunk specific. (Bucket ID)
_serial
Splunk specific.
_eventtype_color
Splunk specific.
_sourcetype
Event sourcetype be added by Logstash.
_subsecond
Already in contained in "_time" field. Can be obtain with Logstash if needed.
app
Inaccurate value or can be obtain with Logstash if needed.
date
Already in contained in "_time" field. Can be obtain with Logstash if needed.
date_hour
Splunk default datetime fields.
date_mday
Splunk default datetime fields.
date_minute
Splunk default datetime fields.
date_month
Splunk default datetime fields.
date_second
Splunk default datetime fields.
date_wday
Splunk default datetime fields.
date_year
Splunk default datetime fields.
dvc
Duplicated value.
index
Splunk specific. (Index name)
linecount
Splunk specific. (Current log line count)
punct
Splunk specific. (Punctuation pattern for an event)
source
Event source will be added by Logstash.
sourcetype
Event sourcetype be added by Logstash.
splunk_server
Splunk specific. (Splunk server name)
tag
Event will be tagged by Logstash.
tag::eventtype
Event will be tagged by Logstash.
time
Already in contained in "_time" field. Can be obtain with Logstash if needed.
timeendpos
Confusing with other fields.
timestamp
Duplicate of "time" field.
timestartpos
Confusing with other fields.
Field Name
Reason
action
category
command
cpu
cpu_load_percent
dest
disk
disklograte
duration
fams_pause
fazlograte
limit
mem
object_category
product_version
session_id
setuprate
totalsession
src
vd
vendor_eventtype
vendor_status
Field Name
Reason
action
bytes_in
bytes_out
category
dest
dest_interface
dest_port
dest_translated_ip
dest_translated_port
dstcountry
ftnt_action
packets_in
packets_out
product_version
rule
rule_id
session_id
srccountry
src_interface
src_ip
src_port
src_mac
src_translated_ip
src
vd
vendor_eventtype
Field Name
Reason
action
agent
bytes_in
bytes_out
category
dest
dest_interface
dest_port
file_name
ftnt_action
http_method
product_version
session_id
signature
site
src
src_interface
src_port
srccountry
status
vd
vendor_eventtype
Field Name
Reason
_kv
Bad original "cs_uri_query" or "cs_referer" field parsing.
a
Bad original "cs_uri_query" or "cs_referer" field parsing.
a1f5ea945d8863b612f9488485969e4
Bad original "cs_uri_query" or "cs_referer" field parsing.
action
Bad original "cs_uri_query" or "cs_referer" field parsing.
ADMINTYPE
Bad original "cs_uri_query" or "cs_referer" field parsing.
allowedDomain
Bad original "cs_uri_query" or "cs_referer" field parsing.
ApHost
Bad original "cs_uri_query" or "cs_referer" field parsing.
aspxerrorpath
Bad original "cs_uri_query" or "cs_referer" field parsing.
btnSubmit
Bad original "cs_uri_query" or "cs_referer" field parsing.
BVw
Bad original "cs_uri_query" or "cs_referer" field parsing.
cache_timeout
Bad original "cs_uri_query" or "cs_referer" field parsing.
catid
Bad original "cs_uri_query" or "cs_referer" field parsing.
cd
Bad original "cs_uri_query" or "cs_referer" field parsing.
CGIAlias
Bad original "cs_uri_query" or "cs_referer" field parsing.
cmd
Bad original "cs_uri_query" or "cs_referer" field parsing.
config
Bad original "cs_uri_query" or "cs_referer" field parsing.
culture
Bad original "cs_uri_query" or "cs_referer" field parsing.
debug
Bad original "cs_uri_query" or "cs_referer" field parsing.
depth
Bad original "cs_uri_query" or "cs_referer" field parsing.
dest
Bad original "cs_uri_query" or "cs_referer" field parsing.
do
Bad original "cs_uri_query" or "cs_referer" field parsing.
dTw
Bad original "cs_uri_query" or "cs_referer" field parsing.
ei
Bad original "cs_uri_query" or "cs_referer" field parsing.
eid
Bad original "cs_uri_query" or "cs_referer" field parsing.
f
Bad original "cs_uri_query" or "cs_referer" field parsing.
feed
Bad original "cs_uri_query" or "cs_referer" field parsing.
file
Bad original "cs_uri_query" or "cs_referer" field parsing.
File
Bad original "cs_uri_query" or "cs_referer" field parsing.
format
Bad original "cs_uri_query" or "cs_referer" field parsing.
full
Bad original "cs_uri_query" or "cs_referer" field parsing.
ge
Bad original "cs_uri_query" or "cs_referer" field parsing.
GET
Bad original "cs_uri_query" or "cs_referer" field parsing.
get_data
Bad original "cs_uri_query" or "cs_referer" field parsing.
group
Bad original "cs_uri_query" or "cs_referer" field parsing.
gzip
Bad original "cs_uri_query" or "cs_referer" field parsing.
highlighterId
Bad original "cs_uri_query" or "cs_referer" field parsing.
hk
Bad original "cs_uri_query" or "cs_referer" field parsing.
id
Bad original "cs_uri_query" or "cs_referer" field parsing.
iN
Bad original "cs_uri_query" or "cs_referer" field parsing.
item
Bad original "cs_uri_query" or "cs_referer" field parsing.
Itemid
Bad original "cs_uri_query" or "cs_referer" field parsing.
jQuery
Bad original "cs_uri_query" or "cs_referer" field parsing.
layout
Bad original "cs_uri_query" or "cs_referer" field parsing.
link
Bad original "cs_uri_query" or "cs_referer" field parsing.
module
Bad original "cs_uri_query" or "cs_referer" field parsing.
movieName
Bad original "cs_uri_query" or "cs_referer" field parsing.
n990136
Bad original "cs_uri_query" or "cs_referer" field parsing.
name
Bad original "cs_uri_query" or "cs_referer" field parsing.
operator
Bad original "cs_uri_query" or "cs_referer" field parsing.
option
Bad original "cs_uri_query" or "cs_referer" field parsing.
ordering
Bad original "cs_uri_query" or "cs_referer" field parsing.
page
Bad original "cs_uri_query" or "cs_referer" field parsing.
param
Bad original "cs_uri_query" or "cs_referer" field parsing.
playerready
Bad original "cs_uri_query" or "cs_referer" field parsing.
plugin
Bad original "cs_uri_query" or "cs_referer" field parsing.
Pp
Bad original "cs_uri_query" or "cs_referer" field parsing.
Bad original "cs_uri_query" or "cs_referer" field parsing.
pZ
Bad original "cs_uri_query" or "cs_referer" field parsing.
q
Bad original "cs_uri_query" or "cs_referer" field parsing.
QA
Bad original "cs_uri_query" or "cs_referer" field parsing.
qH
Bad original "cs_uri_query" or "cs_referer" field parsing.
rct
Bad original "cs_uri_query" or "cs_referer" field parsing.
rdoSearch
Bad original "cs_uri_query" or "cs_referer" field parsing.
redirects
Bad original "cs_uri_query" or "cs_referer" field parsing.
report
Bad original "cs_uri_query" or "cs_referer" field parsing.
returnto
Bad original "cs_uri_query" or "cs_referer" field parsing.
rev
Bad original "cs_uri_query" or "cs_referer" field parsing.
route
Bad original "cs_uri_query" or "cs_referer" field parsing.
rurl
Bad original "cs_uri_query" or "cs_referer" field parsing.
sa
Bad original "cs_uri_query" or "cs_referer" field parsing.
search
Bad original "cs_uri_query" or "cs_referer" field parsing.
searchphrase
Bad original "cs_uri_query" or "cs_referer" field parsing.
searchword
Bad original "cs_uri_query" or "cs_referer" field parsing.
section
Bad original "cs_uri_query" or "cs_referer" field parsing.
sections
Bad original "cs_uri_query" or "cs_referer" field parsing.
self_a
Bad original "cs_uri_query" or "cs_referer" field parsing.
selfor
Bad original "cs_uri_query" or "cs_referer" field parsing.
sig2
Bad original "cs_uri_query" or "cs_referer" field parsing.
skip
Bad original "cs_uri_query" or "cs_referer" field parsing.
sl
Bad original "cs_uri_query" or "cs_referer" field parsing.
src
Bad original "cs_uri_query" or "cs_referer" field parsing.
tab
Bad original "cs_uri_query" or "cs_referer" field parsing.
task
Bad original "cs_uri_query" or "cs_referer" field parsing.
template
Bad original "cs_uri_query" or "cs_referer" field parsing.
test
Bad original "cs_uri_query" or "cs_referer" field parsing.
time
Bad original "cs_uri_query" or "cs_referer" field parsing.
title
Bad original "cs_uri_query" or "cs_referer" field parsing.
tl
Bad original "cs_uri_query" or "cs_referer" field parsing.
tmpl
Bad original "cs_uri_query" or "cs_referer" field parsing.
txtSearchname
Bad original "cs_uri_query" or "cs_referer" field parsing.
type
Bad original "cs_uri_query" or "cs_referer" field parsing.
u
Bad original "cs_uri_query" or "cs_referer" field parsing.
uploadifyID
Bad original "cs_uri_query" or "cs_referer" field parsing.
url
Bad original "cs_uri_query" or "cs_referer" field parsing.
usg
Bad original "cs_uri_query" or "cs_referer" field parsing.
ved
Bad original "cs_uri_query" or "cs_referer" field parsing.
view
Bad original "cs_uri_query" or "cs_referer" field parsing.
window_x
Bad original "cs_uri_query" or "cs_referer" field parsing.
wNO
Bad original "cs_uri_query" or "cs_referer" field parsing.
wvstest
Bad original "cs_uri_query" or "cs_referer" field parsing.
wVz
Bad original "cs_uri_query" or "cs_referer" field parsing.
xC
Bad original "cs_uri_query" or "cs_referer" field parsing.
xmlDataPath
Bad original "cs_uri_query" or "cs_referer" field parsing.
xml_stylesheet
Bad original "cs_uri_query" or "cs_referer" field parsing.
yqQA5
Bad original "cs_uri_query" or "cs_referer" field parsing.
Field Name
Reason
dest
Duplicate of "host-ip" field.
dest_host
Duplicate of "hostname" field.
dest_ip
Duplicate of "host-ip" field.
eventtype
Event will be tagged/typed by Logstash.
product
Will be set with Logsash.
signature
Duplicate of "plugin_name" field.
vendor
Will be set with Logsash.
Field Name
Reason
action
dest
lease_duration
signature
src
Field Name
Reason
answer
dest
message_type{}
query{}
query_type{}
reply_code{}
response_time{}
src
Field Name
Reason
action
capture_hostname
client_rtt
client_rtt_packets
client_rtt_sum
data_center_time
dest
duplicate_packets_in
duplicate_packets_out
duration
form_data
host
reply_time
request_ack_time
request_time
response_ack_time
response_time
server_rtt
server_rtt_packets
server_rtt_sum
src
Field Name
Reason
dest
duration
host
src
Field Name
Reason
dest
host
src
Field Name
Reason
dest
host
src
Field Name
Reason
dest
duration
host
reply_time
request_time
response_time
src
Field Name
Reason
dest
duration
host
src
uri
Field Name
Reason
dest
duration
host
src
Field Name
Reason
dest
duration
host
src
Field Name
Reason
client_rtt
client_rtt_packets
client_rtt_sum
connection
dest
duplicate_packets_in
duplicate_packets_out
duration
server_rtt
server_rtt_packets
server_rtt_sum
src
ssl_end_time
ssl_hash
ssl_serialnumber
ssl_session_id
ssl_start_time
Field Name
Reason
action
alert_gid
alert_rev
bytes
bytes_in
bytes_out
capture_kernel_drops
category
decoder_avg_pkt_size
decoder_bytes
decoder_erspan
decoder_ethernet
decoder_gre
decoder_icmpv4
decoer_icmpv6
decoder_invalid
decoder_ipraw_invalid_ip_version
decoder_ipv4
decoder_ipv4_in_ipv6
decoder_ipv6
decoder_ipv6_in_ipv6
decoder_ltnull_pkt_too_small
decoder_ltnull_unspported_type
decoder_max_pkt_size
decoder_mpls
decoder_null
decoder_pkts
decoder_ppp
decoder_pppoe
decoder_raw
decoder_sctp
decoder_ssl
decoder_tcp
decoder_teredo
decoder_udp
decoder_vlan
decoder_vlan_qinq
defrag_ipv4_fragments
defrag_ipv4_reassembled
defrag_ipv4_timeouts
defrag_ipv6_fragments
defrag_ipv6_reassembled
defrag_max_frag_hits
defrag_ipv6_timeouts
dest
detect_alert
dns_memcap_global
dns_memcap_state
dns_memuse
duration
dvc
endtime
filename
file_size
file_state
file_stored
file_tx_id
flow_emerg_mode_entered
flow_emerg_mode_over
flow_memcap
flow_memuse
flow_mgr_closed_pruned
flow_mgr_est_pruned
flow_mgr_new_pruned
flow_spare
flow_tcp_reuse
http_content_type
http_memcap
http_memuse
http_method
http_protocol
http_referrer
http_user_agent
message_type
packets_in
packets_out
query
reason
reply_code
severity
severity_id
signature
src
ssh_client_software
ssh_client_version
ssh_server_software
ssh_server_version
ssl_issuer_common_name
ssl_publickey
ssl_server_name_indication
ssl_subject_common_name
ssl_version
starttime
state
status
stream_3whs_ack_in_wrong_dir
stream_3whs_async_wrong_seq
stream_3whs_right_seq_wrong_ack_evasion
suricata_signature_id
tcp_ack
tcp_cwr
tcp_ecn
tcp_fin
tcp_flag_hex
tcp_flag_hex_to_client
tcp_flag_hex_to_server
tcp_invalid_checksum
tcp_memuse
tcp_no_flow
tcp_pseudo
tcp_pseudo_failed
tcp_psh
tcp_reassembly_gap
tcp_reassembly_memuse
tcp_rst
tcp_segment_memcap_drop
tcp_sessions
tcp_ssn_memcap_drop
tcp_state
tcp_stream_depth_reached
tcp_syn
tcp_synack
transaction_id
transport
ttl
tx_id
uptime
url
vendor_gid
vendor_rev
vendor_sid
Field Name
Reason
_pre_msg
Raw data already contain in _raw field.
Context
Bad original "Message" field parsing.
dest
Duplicate of "ComputerName" field.
Dirty_Shutdown
Bad original "Message" field parsing.
event_id
Duplicate of "RecordNumber" field.
eventtype
Collision with "EventType" field. Can be set with Logstash if needed.
host
Duplicate of "dvc_nt_host" field.
id
Duplicate of "RecordNumber" field.
Logon
One log. Not usefull in this Windows Event Application Log.
Message
Raw data already contain in _raw field.
severity
Duplicate of "Type" field. And not corresponding to log severity.
severity_id
Duplicate of "EventType" field. And not corresponding to log severity.
signature_id
Duplicate of "EventCode" field.
The_specified_object_...
Bad original "Message" field parsing.
Field Name
Reason
_pre_msg
Raw data already contain in _raw field.
ACCESS_SYS_SEC
Bad parsing of "Access Reasons" field.
action
Duplicate of "Keywords" field.
AppendData__or_AddSubdirectory_or_...
Bad parsing of "Access Reasons" field.
body
Raw data already contain in _raw field.
DELETE
Bad parsing of "Access Reasons" field.
dest
Duplicate of "ComputerName" field.
dest_nt_domain
Duplicate of "Account_Domain" field.
dest_nt_host
Duplicate of "ComputerName" field.
event_id
Duplicate of "RecordNumber" field.
eventtype
Collision with "EventType" field. Can be set with Logstash if needed.
host
Duplicate of "dvc_nt_host" field.
id
Duplicate of "RecordNumber" field.
member_dn
Duplicate of "Account_Name" field.
member_id
Duplicate of "Security_ID" field.
member_nt_domain
Duplicate of "Account_Domain" field.
msad_action
Duplicate of "subject" field.
Message
Raw data already contain in _raw field.
name
Collision with "Name" field. Duplicate of "subject" field.
object
Will be set with Logsash.
privilege
Splunk generated field. Can be obtain with Logstash if needed.
privilege_id
Duplicate of "Privileges" field.
product
Will be set with Logsash.
ReadAttributes
Bad parsing of "Accesses" field.
READ_CONTROL
Bad parsing of "Accesses" field.
ReadEA
Bad parsing of "Accesses" field.
ReadData__or_ListDirectory_
Duplicate of "Access_Reasons" field.
session_id
Collision with "Session_ID" field. Duplicate of "Logon_ID" field.
severity
Duplicate of "Type" field. And not corresponding to log severity.
severity_id
Duplicate of "EventType" field. And not corresponding to log severity.
signature_id
Duplicate of "EventCode" field.
src
Duplicate of "ComputerName" field.
src_ip
Duplicate of "Source_Network_Address" field.
src_nt_host
Duplicate of "ComputerName" field.
src_port
Duplicate of "Source_Port" field.
src_nt_domain
Duplicate of "Account_Domain" field.
src_user
Duplicate of "Account_Name" field.
status
Duplicate of "Keywords" field.
SYNCHRONIZE
Bad parsing of "Access Reasons" field.
tag::app
Tags will be set with Logstash.
tag::privilege_id
Tags will be set with Logstash.
tag::Token_Elevation_Type_id
Tags will be set with Logstash.
user
Duplicate of "Account_Name" field.
user_group
Duplicate of "Group_Name" field.
vendor
Tags will be set with Logstash.
vendor_privilege
Duplicate of "Privileges" field.
WriteAttributes
Bad parsing of "Accesses" field.
WriteData__or_AddFile_
Bad parsing of "Accesses" field.
WriteEA
Bad parsing of "Accesses" field.
Field Name
Reason
_pre_msg
Raw data already contain in _raw field.
body
Raw data already contain in _raw field.
dest
Duplicate of "ComputerName" field.
dvc_nt_host
Duplicate of "Host_Name" field.
event_id
Duplicate of "RecordNumber" field.
eventtype
Collision with "EventType" field. Can be set with Logstash if needed.
host
Duplicate of "Host_Name" field.
id
Duplicate of "RecordNumber" field.
Message
Raw data already contain in _raw field.
package_title
Bad original "Message" field parsing. Can be obtain with Logstash if needed.
product
Will be set with Logsash.
severity
Duplicate of "Type" field. And not corresponding to log severity.
severity_id
Duplicate of "EventType" field. And not corresponding to log severity.
signature_id
Duplicate of "EventCode" field.
src
Duplicate of "ComputerName" field.
status
Duplicate of "Keywords" field.
user
Collision with "User" field. Duplicate of "User" field.
vendor
Tags will be set with Logstash.
Field Name
Reason
_kv
action
dest
LinkId
msg
object
object_category
object_path
registry_path
registry_value_data
registry_value_type
user
user_type
vendor_action
vendor_status
Field Name
Reason
action
Duplicate of "Keywords" field.
cmdline
Duplicate of "CommandLine" field.
dest
Duplicate of "Computer" field.
dest_host
Duplicate of "DestinationHostname" field.
dest_ip
Duplicate of "DestinationIp" field.
dest_port
Duplicate of "DestinationPort" field.
direction
Information derivated from logs but not accurate.
eventtype
Duplicate of "EventChannel" field.
file_create_time
Duplicate of "CreationUtcTime" field.
file_path
Duplicate of "TargetFilename" field.
hashes
Collision with "Hashes" field. Duplicate of "Hashes" field.
host
Duplicate of "dvc_nt_host" field.
object_category
Not usefull derivated field. Can be obtain with Logstash if needed.
parent_process
Duplicate of "ParentImage" field.
parent_process_id
Duplicate of "ParentProcessId" field.
process_id
Duplicate of "ProcessId" field.
protocol
Collision with "Protocol" field. Duplicate of "(Source|Destination)PortName" field.
session_id
Duplicate of "ProcessGuid" field.
signature
Collision with "Signature" field. Duplicate of "EventDescription" field.
signature_id
Duplicate of "EventCode" field.
src
Duplicate of "Computer" field.
src_host
Duplicate of "SourceHostname" field.
src_ip
Duplicate of "SourceIp" field.
src_port
Duplicate of "SourcePort" field.
transport
Duplicate of "Protocol" field.
user
Collision with "User" field. Duplicate of "User" field.
vendor_product
Tags will be set with Logstash.
This page contains information about sanitization process. Tables of which fields have been deleted and the reason are also in this page.