diff --git a/packages/gigamon/changelog.yml b/packages/gigamon/changelog.yml index c2e5d099f17..97377a20005 100644 --- a/packages/gigamon/changelog.yml +++ b/packages/gigamon/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Update mapping of Gigamon attributes to align with ECS fields. + type: breaking-change + link: https://github.com/elastic/integrations/pull/14692 - version: "1.7.0" changes: - description: Added child dashboards for ZT. diff --git a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json index 48937b9bcba..95cc6f3ecfe 100644 --- a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json +++ b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json @@ -2201,6 +2201,231 @@ "id": "679408454713142279", "seq_num": "724" } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "00:90:7f:3e:02:d0", + "src_mac": "e0:f8:47:21:c9:d6", + "src_ip": "172.16.133.96", + "dst_ip": "172.16.133.134", + "protocol": "6", + "src_port": "53512", + "dst_port": "80", + "device_inbound_interface": "0", + "http_rtt": "2", + "http_server": "g-pixel.invitemedia.com", + "http_referer": "http:\\/\\/pixel.invitemedia.com\\/data_sync?partner_id=419", + "http_uri": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "http_uri_path": "\\/BurstingPipe\\/adServer.bs", + "http_host": "bs.serving-sys.com", + "http_uri_raw": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "http_set_cookie": "S_6283423=1070476434893147863", + "http_server_agent": "Jetty(7.3.1.v20110307)", + "http_code": "200", + "http_content_encoding": "gzip", + "http_content_type": "image\\/gif", + "http_method": "GET", + "http_version": "1.1", + "http_user_agent": "Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\\/534.57.2 (KHTML, like Gecko) Version\\/5.1.7 Safari\\/534.57.2", + "http_file_type": "GIF (v89a)", + "app_id": "67", + "tcp_flags": "19", + "src_bytes": "702", + "dst_bytes": "1261", + "src_packets": "5", + "dst_packets": "4", + "start_time": "2025:01:27 21:31:31.807", + "end_time": "2025:01:27 21:31:31.863", + "flow_start_sec": "2025:01:27 21:31:30", + "flow_end_sec": "2025:01:27 21:31:30", + "intf_name": "0", + "egress_intf_id": "0", + "app_name": "http", + "id": "6470375316427636737", + "seq_num": "187452" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "b4:0c:25:e0:40:11", + "src_mac": "4c:32:75:97:66:cf", + "src_ip": "10.155.24.73", + "dst_ip": "10.155.24.35", + "protocol": "6", + "src_port": "64631", + "dst_port": "443", + "device_inbound_interface": "0", + "ssl_common_name": "*.event.prod.bidr.io", + "ssl_issuer": "Amazon", + "ssl_validity_not_before": "2017-08-31 06:30:04", + "ssl_validity_not_after": "2020-08-31 06:30:04", + "ssl_cipher_suite_id": "49199", + "ssl_protocol_version": "771", + "ssl_certificate_subject_cn": "*.event.prod.bidr.io", + "ssl_ext_sig_algorithm_scheme": "1027", + "ssl_ext_sig_algorithm_hash": "4", + "ssl_ext_sig_algorithm_sig": "3", + "ip_wrong_crc": "5199", + "app_id": "1183", + "tcp_flags": "18", + "src_bytes": "2365", + "dst_bytes": "6387", + "src_packets": "11", + "dst_packets": "8", + "start_time": "2025:01:27 21:37:26.327", + "end_time": "2025:01:27 21:37:26.415", + "flow_start_sec": "2025:01:27 21:37:25", + "flow_end_sec": "2025:01:27 21:37:25", + "intf_name": "0", + "egress_intf_id": "0", + "app_name": "amazon-aws", + "id": "6470375590653329409", + "seq_num": "319260" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "4c:32:75:97:66:cf", + "src_mac": "c0:94:35:1c:5e:1a", + "src_port": "443", + "dst_port": "63770", + "tcp_loss_count": "1380", + "tcp_rtt": "0.000015", + "tcp_rtt_app": "0.000026", + "tcp_retransmission_bytes": "155", + "tcp_flag_reset": "1", + "tcp_wrong_crc": "4296", + "app_id": "68", + "src_ipv6": "2a02:cf40:0000:0000:0000:0000:0000:0001", + "dst_ipv6": "2a02:cf47:ffff:ffff:ffff:ffff:ffff:0001", + "ip_version": "6", + "tcp_flags": "18", + "src_packets": "3301", + "dst_packets": "4205", + "flow_start_sec": "2025:07:28 03:12:22", + "end_reason": "2", + "app_name": "https", + "src_bytes": "307270", + "dst_bytes": "558827", + "id": "691388880983323651", + "seq_num": "52332271" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "b4:0c:25:e0:40:53", + "src_mac": "00:08:e3:ff:fc:28", + "src_ip": "10.10.1.116", + "dst_ip": "10.120.10.218", + "protocol": "17", + "src_port": "61751", + "dst_port": "161", + "device_inbound_interface": "0", + "snmp_version": "2c", + "app_id": "190", + "tcp_flags": "0", + "src_bytes": "172", + "dst_bytes": "182", + "src_packets": "2", + "dst_packets": "2", + "start_time": "2025:01:27 21:33:58.759", + "end_time": "2025:01:27 21:33:58.759", + "flow_start_sec": "2025:01:27 21:33:57", + "flow_end_sec": "2025:01:27 21:33:57", + "intf_name": "0", + "egress_intf_id": "0", + "app_name": "snmp", + "id": "6470375508803584001", + "seq_num": "213751" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "src_mac": "09:00:09:00:01:12", + "src_ip": "10.2.1.23", + "dst_ip": "10.2.1.255", + "protocol": "17", + "src_port": "138", + "dst_port": "138", + "device_inbound_interface": "0", + "smb_version": "1", + "smb_command_string": "negotiate", + "smb_path": "\\/\\/11.1.0.37:445\\/sharefile", + "smb_host": "user1", + "smb_filename": "testfile", + "app_id": "3855", + "tcp_flags": "0", + "src_bytes": "38376", + "dst_bytes": "0", + "src_packets": "162", + "dst_packets": "0", + "start_time": "2025:01:27 21:30:10.463", + "end_time": "2025:01:27 21:30:44.847", + "flow_start_sec": "2025:01:27 21:30:09", + "flow_end_sec": "2025:01:27 21:30:43", + "intf_name": "0", + "egress_intf_id": "0", + "app_name": "mailslot", + "id": "6470375254073016321", + "seq_num": "76099" + } + }, + { + "json": { + "ts": "Wed Dec 13 15:25:54 2023", + "vendor": "Gigamon", + "version": "6.5.00", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "dst_mac": "02:01:93:9c:99:4d", + "src_mac": "02:01:93:9c:98:37", + "src_ip": "10.1.0.4", + "dst_ip": "10.1.0.4", + "protocol": "17", + "src_port": "57677", + "dst_port": "67", + "dns_qdcount": "1", + "dns_message_type": "QUERY", + "dns_tunneling": "1", + "dns_reverse_addr": "10.12.21.34", + "dns_flags": "256", + "dns_opcode": "0", + "dns_class": "1", + "dns_query": "34.21.12.61.in-addr.arpa", + "dns_query_type": "12", + "app_id": "32", + "ip_version": "4", + "src_packets": "2955", + "dst_packets": "2705", + "flow_start_sec": "2025:07:27 23:52:17", + "end_reason": "1", + "app_name": "dns", + "src_bytes": "326560", + "dst_bytes": "432901", + "id": "691388880109625347", + "seq_num": "52203185" + } } ] } + diff --git a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json index b62f3f601ad..c7b4bc816d1 100644 --- a/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json +++ b/packages/gigamon/data_stream/ami/_dev/test/pipeline/test-ami.json-expected.json @@ -2,15 +2,41 @@ "expected": [ { "@timestamp": "2023-12-13T15:25:25.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:11.181Z", + "id": "679408454713072647", + "kind": "event", + "start": "2023-12-13T15:25:11.181Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -56,21 +82,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.101" + ], + "name": "pnstrex-83816.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.101", + "mac": "00-50-56-8D-89-41", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:26.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 4499 + }, + "question": { + "name": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "registered_domain": "_tcn_eqaHCT._tcp.local", + "type": "TXT" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:11.789Z", + "id": "679408454713073671", + "kind": "event", + "start": "2023-12-13T15:25:10.797Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_ancount": 4, @@ -116,21 +186,62 @@ "version": "6.5.00" } }, + "host": { + "name": "HCT_6011-181e00a30af6._tcn_eqaHCT._tcp.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 324, + "ip": "10.115.80.208", + "mac": "00-1D-AC-45-34-00", + "packets": 2, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:27.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "229.85.115.10.in-addr.arpa", + "registered_domain": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:12.781Z", + "id": "679408454713074695", + "kind": "event", + "start": "2023-12-13T15:25:12.781Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -176,17 +287,51 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.229" + ], + "name": "linux-49197.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.229", + "mac": "00-50-56-94-62-DB", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:27.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "systest-virtual-machine-557152.local" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 3.4123791E9, + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -208,17 +353,35 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.167" + ], + "name": "systest-virtual-machine-557152.local", + "type": "A" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:27.000Z", + "dns": { + "question": { + "registered_domain": "_" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -238,11 +401,22 @@ }, { "@timestamp": "2023-12-13T15:25:28.000Z", + "dns": { + "question": { + "registered_domain": "systest-virtual-machine-552999.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -262,11 +436,22 @@ }, { "@timestamp": "2023-12-13T15:25:28.000Z", + "dns": { + "question": { + "registered_domain": "_tcn_ABCD99995._tcp.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -282,21 +467,51 @@ "version": "6.5.00" } }, + "host": { + "name": "gigamon_8b6c6e-3513b246ab72._tcn_ABCD99995._tcp.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:29.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "224.85.115.10.in-addr.arpa", + "registered_domain": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:15.037Z", + "id": "679408454713079815", + "kind": "event", + "start": "2023-12-13T15:25:15.037Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -342,21 +557,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.224" + ], + "name": "linux-69816.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.224", + "mac": "00-50-56-94-72-27", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:30.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:15.901Z", + "id": "679408454713080839", + "kind": "event", + "start": "2023-12-13T15:25:15.901Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -402,21 +661,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.167" + ], + "name": "pnstrex-85507.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.167", + "mac": "00-50-56-8D-D8-F7", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:30.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "2.7.8.c.f.f.6.2.a.5.8.1.2.3.4.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:15.917Z", + "id": "679408454713081863", + "kind": "event", + "start": "2023-12-13T15:25:15.917Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -462,21 +765,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.83.205" + ], + "name": "pnstrex-61351.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 335, + "ip": "10.114.83.205", + "mac": "00-50-56-9C-74-4E", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:31.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "219.85.115.10.in-addr.arpa", + "registered_domain": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:17.229Z", + "id": "679408454713082887", + "kind": "event", + "start": "2023-12-13T15:25:17.229Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -522,21 +869,55 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.219" + ], + "name": "linux-52270.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.219", + "mac": "00-50-56-94-D4-C8", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:33.000Z", + "destination": { + "bytes": 0, + "ip": "10.115.83.43", + "mac": "00-50-56-9D-D1-FF", + "packets": 0, + "port": 514 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:31.645Z", + "id": "679408454713083911", + "kind": "event", + "start": "2023-12-13T15:24:33.549Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4979, + "app_id": "4979", "app_name": "Unknown udp", "device_inbound_interface": "0", "dst_bytes": 0, @@ -567,17 +948,44 @@ "version": "6.5.00" } }, + "service": { + "id": "4979", + "type": "Unknown udp" + }, + "source": { + "bytes": 837334, + "ip": "10.115.83.37", + "mac": "00-50-56-B7-E4-A1", + "packets": 629, + "port": 23384 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:35.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "systest-virtual-machine-552428.local" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 3.520447E9, + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -599,21 +1007,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.155" + ], + "name": "systest-virtual-machine-552428.local", + "type": "A" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:35.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:20.509Z", + "id": "679408454713085959", + "kind": "event", + "start": "2023-12-13T15:25:20.509Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -659,17 +1100,49 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.168" + ], + "name": "systest-virtual-machine-560412.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.168", + "mac": "00-50-56-86-1F-D9", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:35.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -691,21 +1164,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.154" + ], + "name": "systest-virtual-machine-627950.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:36.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:21.661Z", + "id": "679408454713088007", + "kind": "event", + "start": "2023-12-13T15:25:21.661Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -751,21 +1257,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.162" + ], + "name": "systest-virtual-machine-561372.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.162", + "mac": "00-50-56-86-24-0A", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:36.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "220.85.115.10.in-addr.arpa", + "registered_domain": "9.7.c.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:21.469Z", + "id": "679408454713089031", + "kind": "event", + "start": "2023-12-13T15:25:21.469Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -811,21 +1361,55 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.220" + ], + "name": "linux-76620.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.220", + "mac": "00-50-56-94-DC-79", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:36.000Z", + "destination": { + "bytes": 28400, + "ip": "10.115.83.73", + "mac": "00-50-56-B7-A1-53", + "packets": 197, + "port": 22 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:36.605Z", + "id": "679408454713090055", + "kind": "event", + "start": "2023-12-13T15:24:37.341Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4968, + "app_id": "4968", "app_name": "Unknown tcp", "device_inbound_interface": "0", "dst_bytes": 28400, @@ -856,21 +1440,58 @@ "version": "6.5.00" } }, + "service": { + "id": "4968", + "type": "Unknown tcp" + }, + "source": { + "bytes": 18808, + "ip": "10.70.70.164", + "mac": "5C-31-92-40-19-7F", + "packets": 223, + "port": 50425 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:24:49.629Z", + "id": "679408454713091079", + "kind": "event", + "start": "2023-12-13T15:24:49.629Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -916,21 +1537,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.172" + ], + "name": "systest-virtual-machine-611134.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.172", + "mac": "00-50-56-86-62-5F", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "221.85.115.10.in-addr.arpa", + "registered_domain": "0.c.b.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:01.501Z", + "id": "679408454713092103", + "kind": "event", + "start": "2023-12-13T15:24:41.469Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -976,21 +1641,61 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.221" + ], + "name": "linux-68644.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 510, + "ip": "10.115.85.221", + "mac": "00-50-56-94-3B-C0", + "packets": 2, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "question": { + "name": "_ipps._tcp.local", + "type": "PTR" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:18.861Z", + "id": "679408454713093127", + "kind": "event", + "start": "2023-12-13T15:25:18.861Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1029,21 +1734,53 @@ "version": "6.5.00" } }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 87, + "ip": "10.114.83.61", + "mac": "00-50-56-8D-FA-3E", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "destination": { + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "75.83.114.10.in-addr.arpa", + "registered_domain": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "device_inbound_interface": "0", "dns_class": "1", "dns_flags": "0", @@ -1075,17 +1812,47 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.83.75" + ], + "name": "tg-91532.local", + "type": "PTR" + }, + "service": { + "id": "32" + }, + "source": { + "bytes": 753, + "ip": "10.114.83.75", + "mac": "00-50-56-8D-6A-4B", + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -1102,17 +1869,38 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.159" + ], + "name": "systest-virtual-machine-560195.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:37.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "b.2.f.f.8.f.c.5.9.2.d.c.a.4.7.d.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -1133,21 +1921,44 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.151" + ], + "name": "systest-virtual-machine-584015.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "255.255.255.255", + "mac": "FF-FF-FF-FF-FF-FF", + "packets": 0, + "port": 67 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:26.285Z", + "id": "679408454713097223", + "kind": "event", + "start": "2023-12-13T15:24:58.717Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 29, + "app_id": "29", "app_name": "dhcp", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1178,21 +1989,48 @@ "version": "6.5.00" } }, + "service": { + "id": "29", + "type": "dhcp" + }, + "source": { + "bytes": 1400, + "ip": "0.0.0.0", + "mac": "00-50-56-99-05-DF", + "packets": 4, + "port": 68 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 0, + "port": 902 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:07.085Z", + "id": "679408454713098247", + "kind": "event", + "start": "2023-12-13T15:25:07.085Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 3902, + "app_id": "3902", "app_name": "vmware-client", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1223,21 +2061,48 @@ "version": "6.5.00" } }, + "service": { + "id": "3902", + "type": "vmware-client" + }, + "source": { + "bytes": 377, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 1, + "port": 43366 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 0, + "port": 902 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:17.085Z", + "id": "679408454713099271", + "kind": "event", + "start": "2023-12-13T15:25:17.085Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 3902, + "app_id": "3902", "app_name": "vmware-client", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1268,21 +2133,53 @@ "version": "6.5.00" } }, + "service": { + "id": "3902", + "type": "vmware-client" + }, + "source": { + "bytes": 377, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 1, + "port": 30490 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "6.7.e.b.f.9.e.f.c.6.7.b.f.4.5.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "d.5.8.e.b.0.0.d.e.d.b.f.f.5.a.8.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "device_inbound_interface": "0", "dns_class": "1", "dns_flags": "0", @@ -1314,21 +2211,53 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.166" + ], + "name": "pnstrex-85535.local", + "type": "PTR" + }, + "service": { + "id": "32" + }, + "source": { + "bytes": 674, + "ip": "10.114.82.166", + "mac": "00-50-56-9C-B2-DF", + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "239.255.255.250", + "mac": "01-00-5E-7F-FF-FA", + "packets": 0, + "port": 1900 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:25.437Z", + "id": "679408454713101319", + "kind": "event", + "start": "2023-12-13T15:25:22.429Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 3414, + "app_id": "3414", "app_name": "upnp", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1359,21 +2288,58 @@ "version": "6.5.00" } }, + "service": { + "id": "3414", + "type": "upnp" + }, + "source": { + "bytes": 868, + "ip": "10.115.83.20", + "mac": "00-50-56-B7-96-08", + "packets": 4, + "port": 49882 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:23.757Z", + "id": "679408454713102343", + "kind": "event", + "start": "2023-12-13T15:25:23.757Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1419,21 +2385,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.171" + ], + "name": "systest-virtual-machine-627875.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.171", + "mac": "00-50-56-86-09-CC", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "8.3.5.1.c.a.c.b.d.3.2.5.9.0.f.3.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "3.a.2.3.7.1.5.5.e.2.1.6.e.4.7.e.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:24.013Z", + "id": "679408454713103367", + "kind": "event", + "start": "2023-12-13T15:25:24.013Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1479,21 +2489,55 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.162" + ], + "name": "pnstrex-83631.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.162", + "mac": "00-50-56-8D-32-1A", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 388, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 1, + "port": 443 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:25.693Z", + "id": "679408454713104391", + "kind": "event", + "start": "2023-12-13T15:25:25.677Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 68, + "app_id": "68", "app_name": "https", "device_inbound_interface": "0", "dst_bytes": 388, @@ -1524,21 +2568,48 @@ "version": "6.5.00" } }, + "service": { + "id": "68", + "type": "https" + }, + "source": { + "bytes": 399, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 2, + "port": 50694 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 2335, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 8, + "port": 9080 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:25.837Z", + "id": "679408454713105415", + "kind": "event", + "start": "2023-12-13T15:25:25.837Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4962, + "app_id": "4962", "app_name": "Unknown ssl", "device_inbound_interface": "0", "dst_bytes": 2335, @@ -1571,21 +2642,61 @@ "version": "6.5.00" } }, + "service": { + "id": "4962", + "type": "Unknown ssl" + }, + "source": { + "bytes": 1533, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 11, + "port": 60117 + }, "tags": [ "preserve_original_event" - ] + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + } }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "17.82.114.10.in-addr.arpa", + "registered_domain": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:25.693Z", + "id": "679408454713106439", + "kind": "event", + "start": "2023-12-13T15:25:25.693Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1631,21 +2742,64 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.17" + ], + "name": "tg-92794.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 251, + "ip": "10.114.82.17", + "mac": "00-50-56-8D-26-CE", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:40.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.0.0.1.a.0.2.4.4.3.2.1.3.6.1.2. ip6.arpa" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:25.693Z", + "id": "679408454713107463", + "kind": "event", + "start": "2023-12-13T15:24:40.637Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_ancount": 6, @@ -1688,21 +2842,52 @@ "version": "6.5.00" } }, + "host": { + "name": "tg-92967.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 924, + "ip": "10.114.83.110", + "mac": "00-50-56-99-D1-39", + "packets": 6, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:23:59.000Z", + "destination": { + "bytes": 0, + "ip": "255.255.255.255", + "mac": "FF-FF-FF-FF-FF-FF", + "packets": 0, + "port": 67 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:23:44.910Z", + "id": "113836049853586439", + "kind": "event", + "start": "2023-12-13T15:23:17.354Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 29, + "app_id": "29", "app_name": "dhcp", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1733,21 +2918,48 @@ "version": "6.5.00" } }, + "service": { + "id": "29", + "type": "dhcp" + }, + "source": { + "bytes": 1400, + "ip": "0.0.0.0", + "mac": "00-50-56-99-05-DF", + "packets": 4, + "port": 68 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:41.000Z", + "destination": { + "bytes": 0, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 0, + "port": 902 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:27.101Z", + "id": "679408454713108487", + "kind": "event", + "start": "2023-12-13T15:25:27.101Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 3902, + "app_id": "3902", "app_name": "vmware-client", "device_inbound_interface": "0", "dst_bytes": 0, @@ -1778,17 +2990,39 @@ "version": "6.5.00" } }, + "service": { + "id": "3902", + "type": "vmware-client" + }, + "source": { + "bytes": 377, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 1, + "port": 15536 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:41.000Z", + "dns": { + "question": { + "registered_domain": "systest-virtual" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -1808,11 +3042,27 @@ }, { "@timestamp": "2023-12-13T15:25:41.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "systest-virtual-machine-110438.local" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 3.289977E9, + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -1834,17 +3084,38 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.157" + ], + "name": "systest-virtual-machine-110438.local", + "type": "AAAA" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:43.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -1861,21 +3132,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.173" + ], + "name": "systest-virtual-machine-616359.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:44.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "227.85.115.10.in-addr.arpa", + "registered_domain": "0.a.d.2.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:29.565Z", + "id": "679408454713112583", + "kind": "event", + "start": "2023-12-13T15:25:29.565Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1921,21 +3225,65 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.227" + ], + "name": "linux-59500.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.227", + "mac": "00-50-56-94-2D-A0", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:44.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:29.725Z", + "id": "679408454713113607", + "kind": "event", + "start": "2023-12-13T15:25:29.725Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -1981,21 +3329,55 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.163" + ], + "name": "systest-virtual-machine-559605.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.163", + "mac": "00-50-56-86-3D-DA", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:44.000Z", + "destination": { + "bytes": 2985, + "ip": "10.115.83.36", + "mac": "00-50-56-B7-4D-72", + "packets": 9, + "port": 8889 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:24:55.053Z", + "id": "679408454713114631", + "kind": "event", + "start": "2023-12-13T15:24:45.037Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4962, + "app_id": "4962", "app_name": "Unknown ssl", "device_inbound_interface": "0", "dst_bytes": 2985, @@ -2028,21 +3410,61 @@ "version": "6.5.00" } }, + "service": { + "id": "4962", + "type": "Unknown ssl" + }, + "source": { + "bytes": 2019, + "ip": "10.115.83.15", + "mac": "00-50-56-9F-ED-DC", + "packets": 12, + "port": 39252 + }, "tags": [ "preserve_original_event" - ] + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } }, { "@timestamp": "2023-12-13T15:25:45.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:31.149Z", + "id": "679408454713115655", + "kind": "event", + "start": "2023-12-13T15:25:31.149Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2088,21 +3510,67 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.101" + ], + "name": "pnstrex-83817.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.101", + "mac": "00-50-56-8D-89-41", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:45.000Z", + "destination": { + "bytes": 85, + "ip": "10.115.83.36", + "mac": "5C-31-92-40-19-7F", + "packets": 1, + "port": 59004 + }, + "dns": { + "answers": { + "ttl": 3600 + }, + "question": { + "name": "43.83.115.10.in-addr.arpa", + "registered_domain": "115.10.in-addr.arpa", + "type": "PTR" + }, + "response_code": "Non-Existent Domain" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 1563000.0, + "end": "2023-12-13T15:25:30.653Z", + "id": "679408454713116679", + "kind": "event", + "start": "2023-12-13T15:25:30.637Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2151,21 +3619,57 @@ "version": "6.5.00" } }, + "host": { + "name": "hq1dc1.gigamon.com", + "type": "SOA" + }, + "related": { + "ip": [ + "10.115.83.43" + ] + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 169, + "ip": "10.10.1.20", + "mac": "00-50-56-B7-4D-72", + "packets": 1, + "port": 53 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:46.000Z", + "destination": { + "bytes": 59982, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 47, + "port": 443 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:31.837Z", + "id": "679408454713117703", + "kind": "event", + "start": "2023-12-13T15:24:47.085Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 68, + "app_id": "68", "app_name": "https", "device_inbound_interface": "0", "dst_bytes": 59982, @@ -2196,17 +3700,42 @@ "version": "6.5.00" } }, + "service": { + "id": "68", + "type": "https" + }, + "source": { + "bytes": 10482, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 52, + "port": 54892 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:46.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "f.1.2.3.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2227,17 +3756,35 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.228" + ], + "name": "linux-57522.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:47.000Z", + "dns": { + "question": { + "registered_domain": "systest-virtual-machine-549088.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2252,17 +3799,34 @@ "version": "6.5.00" } }, + "host": { + "name": "systest-vir" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:47.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "7.1.7.e.b.a.5.d.3.3.b.b.d.3.f.4.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2284,21 +3848,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.169" + ], + "name": "pnstrex-81458.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:47.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "229.85.115.10.in-addr.arpa", + "registered_domain": "b.d.2.6.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:32.669Z", + "id": "679408454713121799", + "kind": "event", + "start": "2023-12-13T15:25:32.669Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2344,17 +3941,46 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.229" + ], + "name": "linux-49198.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.229", + "mac": "00-50-56-94-62-DB", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:47.000Z", + "dns": { + "question": { + "registered_domain": "sys" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2374,11 +4000,27 @@ }, { "@timestamp": "2023-12-13T15:25:47.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "systest-virtual-machine-557153.local" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 3.5493742E9, + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2400,17 +4042,40 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.167" + ], + "name": "systest-virtual-machine-557153.local", + "type": "A" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:48.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "systest-virtual-machine-553001.local" + }, + "response_code": "No Error" + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "duration": 3.440722E9, + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2431,21 +4096,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.166" + ], + "name": "systest-virtual-machine-553001.local", + "type": "A" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:49.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "224.85.115.10.in-addr.arpa", + "registered_domain": "7.2.2.7.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:34.941Z", + "id": "679408454713125895", + "kind": "event", + "start": "2023-12-13T15:25:34.941Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2491,17 +4189,46 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.224" + ], + "name": "linux-69817.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.224", + "mac": "00-50-56-94-72-27", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:49.000Z", + "dns": { + "question": { + "registered_domain": "_tcn_eqaHCT._tcp.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2517,17 +4244,31 @@ "version": "6.5.00" } }, + "host": { + "name": "MyClust23._t" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:49.000Z", + "dns": { + "question": { + "registered_domain": "systest-virtual-machine-551405.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2547,15 +4288,31 @@ }, { "@timestamp": "2023-12-13T15:25:50.000Z", + "destination": { + "bytes": 2335, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 8, + "port": 9080 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:35.821Z", + "id": "679408454713128967", + "kind": "event", + "start": "2023-12-13T15:25:35.821Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4962, + "app_id": "4962", "app_name": "Unknown ssl", "device_inbound_interface": "0", "dst_bytes": 2335, @@ -2588,21 +4345,61 @@ "version": "6.5.00" } }, + "service": { + "id": "4962", + "type": "Unknown ssl" + }, + "source": { + "bytes": 1533, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 11, + "port": 60895 + }, "tags": [ "preserve_original_event" - ] + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + } }, { "@timestamp": "2023-12-13T15:25:50.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.f.2.5.b.4.f.6.1.a.2.0.1.1.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:36.429Z", + "id": "679408454713129991", + "kind": "event", + "start": "2023-12-13T15:25:36.429Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2648,17 +4445,49 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.152" + ], + "name": "systest-virtual-machine-634804.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 434, + "ip": "10.115.84.152", + "mac": "00-50-56-86-47-92", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:50.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "d.6.6.9.b.6.2.9.a.8.3.1.8.4.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2675,21 +4504,54 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.84.170" + ], + "name": "systest-virtual-machine-560119.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:50.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "7.7.4.f.0.1.0.d.e.7.9.c.d.f.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "0.7.1.8.d.2.7.5.f.d.5.3.8.6.c.6.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:35.805Z", + "id": "679408454713132039", + "kind": "event", + "start": "2023-12-13T15:25:35.805Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2735,21 +4597,55 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.167" + ], + "name": "pnstrex-85508.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.167", + "mac": "00-50-56-8D-D8-F7", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:51.000Z", + "destination": { + "bytes": 0, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 0, + "port": 902 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:37.101Z", + "id": "679408454713133063", + "kind": "event", + "start": "2023-12-13T15:25:37.101Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 3902, + "app_id": "3902", "app_name": "vmware-client", "device_inbound_interface": "0", "dst_bytes": 0, @@ -2780,21 +4676,58 @@ "version": "6.5.00" } }, + "service": { + "id": "3902", + "type": "vmware-client" + }, + "source": { + "bytes": 377, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 1, + "port": 43599 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:51.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "219.85.115.10.in-addr.arpa", + "registered_domain": "8.c.4.d.4.9.e.f.f.f.6.5.0.5.2.0.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:37.149Z", + "id": "679408454713134087", + "kind": "event", + "start": "2023-12-13T15:25:37.149Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -2840,17 +4773,49 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.115.85.219" + ], + "name": "linux-52271.local", + "type": "PTR" + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 255, + "ip": "10.115.85.219", + "mac": "00-50-56-94-D4-C8", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:51.000Z", + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "registered_domain": "3.d.9.2.5.4.0.b.9.1.8.8.2.1.0.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2872,17 +4837,35 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.83.205" + ], + "name": "pnstrex-61352.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "dns": { + "question": { + "registered_domain": "systest-virtual-machine-613736.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2897,21 +4880,40 @@ "version": "6.5.00" } }, + "host": { + "name": "systest-virtual-machine-613736.local" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "destination": { + "bytes": 286, + "ip": "10.115.83.73", + "mac": "00-50-56-B7-A1-53", + "packets": 3, + "port": 22 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:38.253Z", + "id": "679408454713137159", + "kind": "event", + "start": "2023-12-13T15:25:36.669Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4968, + "app_id": "4968", "app_name": "Unknown tcp", "device_inbound_interface": "0", "dst_bytes": 286, @@ -2942,17 +4944,39 @@ "version": "6.5.00" } }, + "service": { + "id": "4968", + "type": "Unknown tcp" + }, + "source": { + "bytes": 518, + "ip": "10.70.70.164", + "mac": "5C-31-92-40-19-7F", + "packets": 7, + "port": 50425 + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "dns": { + "question": { + "registered_domain": "sys" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -2972,15 +4996,31 @@ }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "destination": { + "bytes": 2335, + "ip": "10.115.81.118", + "mac": "0C-C4-7A-F8-0D-C4", + "packets": 8, + "port": 9080 + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:15.821Z", + "id": "679408454713139207", + "kind": "event", + "start": "2023-12-13T15:25:15.821Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 4962, + "app_id": "4962", "app_name": "Unknown ssl", "device_inbound_interface": "0", "dst_bytes": 2335, @@ -3013,17 +5053,42 @@ "version": "6.5.00" } }, + "service": { + "id": "4962", + "type": "Unknown ssl" + }, + "source": { + "bytes": 1533, + "ip": "10.115.83.4", + "mac": "00-50-56-9F-7F-FF", + "packets": 11, + "port": 41529 + }, "tags": [ "preserve_original_event" - ] + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + } }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "dns": { + "question": { + "registered_domain": "_tms_cluster._tcp.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -3039,17 +5104,32 @@ "version": "6.5.00" } }, + "host": { + "name": "duo-test-cluster._tms_cluster._tcp.local", + "type": "PTR" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:52.000Z", + "dns": { + "question": { + "registered_domain": "_tcn_Suki-Cluster._tcp.local" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "kind": "event", + "type": [ + "info" + ] }, "gigamon": { "ami": { @@ -3064,21 +5144,46 @@ "version": "6.5.00" } }, + "host": { + "name": "eqaHCT._tms" + }, "tags": [ "preserve_original_event" ] }, { "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "question": { + "name": "_webdav._tcp.local", + "type": "PTR" + } + }, "ecs": { "version": "8.11.0" }, "event": { - "kind": "event" + "category": [ + "network" + ], + "end": "2023-12-13T15:25:40.285Z", + "id": "679408454713142279", + "kind": "event", + "start": "2023-12-13T15:25:39.533Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -3117,6 +5222,550 @@ "version": "6.5.00" } }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 247, + "ip": "10.115.82.8", + "mac": "00-50-56-A0-50-0D", + "packets": 2, + "port": 5353 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 1261, + "ip": "172.16.133.134", + "mac": "00-90-7F-3E-02-D0", + "packets": 4, + "port": 80 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "duration": 2.0E9, + "end": "2025-01-27T21:31:31.863Z", + "id": "6470375316427636737", + "kind": "event", + "start": "2025-01-27T21:31:31.807Z", + "type": [ + "info" + ] + }, + "file": { + "extension": "GIF (v89a)" + }, + "gigamon": { + "ami": { + "app_id": "67", + "app_name": "http", + "device_inbound_interface": "0", + "dst_bytes": 1261, + "dst_ip": "172.16.133.134", + "dst_mac": "00:90:7f:3e:02:d0", + "dst_packets": 4, + "dst_port": 80, + "egress_intf_id": "0", + "end_time": "2025-01-27T21:31:31.863Z", + "flow_end_sec": "2025-01-27T21:31:30.000Z", + "flow_start_sec": "2025-01-27T21:31:30.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "http_code": 200, + "http_content_encoding": "gzip", + "http_content_type": "image\\/gif", + "http_file_type": "GIF (v89a)", + "http_host": "bs.serving-sys.com", + "http_method": "GET", + "http_referer": "http:\\/\\/pixel.invitemedia.com\\/data_sync?partner_id=419", + "http_rtt": 2.0, + "http_server": "g-pixel.invitemedia.com", + "http_server_agent": "Jetty(7.3.1.v20110307)", + "http_set_cookie": "S_6283423=1070476434893147863", + "http_uri": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "http_uri_path": "\\/BurstingPipe\\/adServer.bs", + "http_uri_raw": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "http_user_agent": "Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\\/534.57.2 (KHTML, like Gecko) Version\\/5.1.7 Safari\\/534.57.2", + "http_version": "1.1", + "id": "6470375316427636737", + "intf_name": "0", + "protocol": "6", + "seq_num": 187452, + "src_bytes": 702, + "src_ip": "172.16.133.96", + "src_mac": "e0:f8:47:21:c9:d6", + "src_packets": 5, + "src_port": 53512, + "start_time": "2025-01-27T21:31:31.807Z", + "tcp_flags": "19", + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "host": { + "name": "bs.serving-sys.com" + }, + "http": { + "request": { + "method": "GET", + "referrer": "http:\\/\\/pixel.invitemedia.com\\/data_sync?partner_id=419" + }, + "response": { + "status_code": 200 + }, + "version": "1.1" + }, + "server": { + "domain": "g-pixel.invitemedia.com" + }, + "service": { + "id": "67", + "type": "http" + }, + "source": { + "bytes": 702, + "ip": "172.16.133.96", + "mac": "E0-F8-47-21-C9-D6", + "packets": 5, + "port": 53512 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "original": "\\/BurstingPipe\\/adServer.bs?cn=rsb&c=28&pli=6283423&PluID=0&w=600&h=300&ncu=$$http:\\/\\/adclick.g.doubleclick.net\\/aclk?sa=L&ai=BbjDYCjItUfTZNtD56AGYzIHoAYjCzaoDAAAAEAEg5IOJAzgAWKi3js5KYMmG7YiEpOwPsgEWd3d3LmJhcnN0b29sc3BvcnRzLmNvbboBCWdmcF9pbWFnZcgBCdoBHmh0dHA6Ly93d3cuYmFyc3Rvb2xzcG9ydHMuY29tL8ACAuACAOoCGy81NzI0OTA1Ni82MDB4MzAwX1N1cGVycGFnZfgCgtIegAMBkAOkA5gDpAOoAwHgBAGgBhY&num=0&sig=AOD64_3ys4vfsF0cKFXmFwXWDhecLGNUFA&client=ca-pub-8984096390091816&adurl=$$&ord=1291673978&z=9999", + "path": "\\/BurstingPipe\\/adServer.bs" + }, + "user_agent": { + "original": "Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\\/534.57.2 (KHTML, like Gecko) Version\\/5.1.7 Safari\\/534.57.2" + } + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 6387, + "ip": "10.155.24.35", + "mac": "B4-0C-25-E0-40-11", + "packets": 8, + "port": 443 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2025-01-27T21:37:26.415Z", + "id": "6470375590653329409", + "kind": "event", + "start": "2025-01-27T21:37:26.327Z", + "type": [ + "info" + ] + }, + "gigamon": { + "ami": { + "app_id": "1183", + "app_name": "amazon-aws", + "device_inbound_interface": "0", + "dst_bytes": 6387, + "dst_ip": "10.155.24.35", + "dst_mac": "b4:0c:25:e0:40:11", + "dst_packets": 8, + "dst_port": 443, + "egress_intf_id": "0", + "end_time": "2025-01-27T21:37:26.415Z", + "flow_end_sec": "2025-01-27T21:37:25.000Z", + "flow_start_sec": "2025-01-27T21:37:25.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "6470375590653329409", + "intf_name": "0", + "ip_wrong_crc": "5199", + "protocol": "6", + "seq_num": 319260, + "src_bytes": 2365, + "src_ip": "10.155.24.73", + "src_mac": "4c:32:75:97:66:cf", + "src_packets": 11, + "src_port": 64631, + "ssl_certificate_subject_cn": "*.event.prod.bidr.io", + "ssl_cipher_suite_id": "49199", + "ssl_cipher_suite_id_value": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "ssl_common_name": "*.event.prod.bidr.io", + "ssl_ext_sig_algorithm_hash": "4", + "ssl_ext_sig_algorithm_hash_value": "SHA256", + "ssl_ext_sig_algorithm_scheme": "1027", + "ssl_ext_sig_algorithm_scheme_value": "ecdsa_secp256r1_sha256", + "ssl_ext_sig_algorithm_sig": "3", + "ssl_issuer": "Amazon", + "ssl_protocol_version": "771", + "ssl_protocol_version_value": "TLS_1_2", + "ssl_validity_not_after": "2020-08-31T06:30:04.000Z", + "ssl_validity_not_before": "2017-08-31T06:30:04.000Z", + "start_time": "2025-01-27T21:37:26.327Z", + "tcp_flags": "18", + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "service": { + "id": "1183", + "type": "amazon-aws" + }, + "source": { + "bytes": 2365, + "ip": "10.155.24.73", + "mac": "4C-32-75-97-66-CF", + "packets": 11, + "port": 64631 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "client": { + "issuer": "Amazon", + "not_after": "2020-08-31T06:30:04.000Z", + "not_before": "2017-08-31T06:30:04.000Z", + "server_name": "*.event.prod.bidr.io", + "subject": "*.event.prod.bidr.io" + }, + "version_protocol": "TLS_1_2" + } + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 558827, + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf47:ffff:ffff:ffff:ffff:ffff:0001", + "mac": "4C-32-75-97-66-CF", + "packets": 4205, + "port": 63770 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "691388880983323651", + "kind": "event", + "type": [ + "info" + ] + }, + "gigamon": { + "ami": { + "app_id": "68", + "app_name": "https", + "dst_bytes": 558827, + "dst_ipv6": "2a02:cf47:ffff:ffff:ffff:ffff:ffff:0001", + "dst_mac": "4c:32:75:97:66:cf", + "dst_packets": 4205, + "dst_port": 63770, + "end_reason": "2", + "end_reason_value": "Active Timeout", + "flow_start_sec": "2025-07-28T03:12:22.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "691388880983323651", + "ip_version": "6", + "seq_num": 52332271, + "src_bytes": 307270, + "src_ipv6": "2a02:cf40:0000:0000:0000:0000:0000:0001", + "src_mac": "c0:94:35:1c:5e:1a", + "src_packets": 3301, + "src_port": 443, + "tcp_flag_reset": "1", + "tcp_flags": "18", + "tcp_loss_count": "1380", + "tcp_retransmission_bytes": 155, + "tcp_rtt": 1.5E-5, + "tcp_rtt_app": 2.6E-5, + "tcp_wrong_crc": "4296", + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "service": { + "id": "68", + "type": "https" + }, + "source": { + "bytes": 307270, + "geo": { + "continent_name": "Europe", + "country_iso_code": "NO", + "country_name": "Norway", + "location": { + "lat": 62.0, + "lon": 10.0 + } + }, + "ip": "2a02:cf40:0000:0000:0000:0000:0000:0001", + "mac": "C0-94-35-1C-5E-1A", + "packets": 3301, + "port": 443 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 182, + "ip": "10.120.10.218", + "mac": "B4-0C-25-E0-40-53", + "packets": 2, + "port": 161 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2025-01-27T21:33:58.759Z", + "id": "6470375508803584001", + "kind": "event", + "start": "2025-01-27T21:33:58.759Z", + "type": [ + "info" + ] + }, + "gigamon": { + "ami": { + "app_id": "190", + "app_name": "snmp", + "device_inbound_interface": "0", + "dst_bytes": 182, + "dst_ip": "10.120.10.218", + "dst_mac": "b4:0c:25:e0:40:53", + "dst_packets": 2, + "dst_port": 161, + "egress_intf_id": "0", + "end_time": "2025-01-27T21:33:58.759Z", + "flow_end_sec": "2025-01-27T21:33:57.000Z", + "flow_start_sec": "2025-01-27T21:33:57.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "6470375508803584001", + "intf_name": "0", + "protocol": "17", + "seq_num": 213751, + "snmp_version": "2c", + "src_bytes": 172, + "src_ip": "10.10.1.116", + "src_mac": "00:08:e3:ff:fc:28", + "src_packets": 2, + "src_port": 61751, + "start_time": "2025-01-27T21:33:58.759Z", + "tcp_flags": "0", + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "service": { + "id": "190", + "type": "snmp", + "version": "2c" + }, + "source": { + "bytes": 172, + "ip": "10.10.1.116", + "mac": "00-08-E3-FF-FC-28", + "packets": 2, + "port": 61751 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 0, + "ip": "10.2.1.255", + "mac": "FF-FF-FF-FF-FF-FF", + "packets": 0, + "port": 138 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "end": "2025-01-27T21:30:44.847Z", + "id": "6470375254073016321", + "kind": "event", + "start": "2025-01-27T21:30:10.463Z", + "type": [ + "info" + ] + }, + "gigamon": { + "ami": { + "app_id": "3855", + "app_name": "mailslot", + "device_inbound_interface": "0", + "dst_bytes": 0, + "dst_ip": "10.2.1.255", + "dst_mac": "ff:ff:ff:ff:ff:ff", + "dst_packets": 0, + "dst_port": 138, + "egress_intf_id": "0", + "end_time": "2025-01-27T21:30:44.847Z", + "flow_end_sec": "2025-01-27T21:30:43.000Z", + "flow_start_sec": "2025-01-27T21:30:09.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "6470375254073016321", + "intf_name": "0", + "protocol": "17", + "seq_num": 76099, + "smb_command_string": "negotiate", + "smb_filename": "testfile", + "smb_host": "user1", + "smb_path": "\\/\\/11.1.0.37:445\\/sharefile", + "smb_version": "1", + "smb_version_value": "SMB-V1", + "src_bytes": 38376, + "src_ip": "10.2.1.23", + "src_mac": "09:00:09:00:01:12", + "src_packets": 162, + "src_port": 138, + "start_time": "2025-01-27T21:30:10.463Z", + "tcp_flags": "0", + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "service": { + "id": "3855", + "type": "mailslot", + "version": "SMB-V1" + }, + "source": { + "bytes": 38376, + "ip": "10.2.1.23", + "mac": "09-00-09-00-01-12", + "packets": 162, + "port": 138 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-12-13T15:25:54.000Z", + "destination": { + "bytes": 432901, + "ip": "10.1.0.4", + "mac": "02-01-93-9C-99-4D", + "packets": 2705, + "port": 67 + }, + "dns": { + "question": { + "name": "34.21.12.61.in-addr.arpa", + "type": "PTR" + }, + "type": "QUERY" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "network" + ], + "id": "691388880109625347", + "kind": "event", + "type": [ + "info" + ] + }, + "gigamon": { + "ami": { + "app_id": "32", + "app_name": "dns", + "dns_class": "1", + "dns_flags": "256", + "dns_message_type": "QUERY", + "dns_opcode": "0", + "dns_qdcount": 1, + "dns_query": "34.21.12.61.in-addr.arpa", + "dns_query_type": "12", + "dns_query_type_value": "PTR", + "dns_reverse_addr": "10.12.21.34", + "dns_tunneling": "1", + "dst_bytes": 432901, + "dst_ip": "10.1.0.4", + "dst_mac": "02:01:93:9c:99:4d", + "dst_packets": 2705, + "dst_port": 67, + "end_reason": "1", + "end_reason_value": "Idle Timeout", + "flow_start_sec": "2025-07-27T23:52:17.000Z", + "generator": "gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6", + "id": "691388880109625347", + "ip_version": "4", + "protocol": "17", + "seq_num": 52203185, + "src_bytes": 326560, + "src_ip": "10.1.0.4", + "src_mac": "02:01:93:9c:98:37", + "src_packets": 2955, + "src_port": 57677, + "ts": "2023-12-13T15:25:54.000Z", + "vendor": "Gigamon", + "version": "6.5.00" + } + }, + "related": { + "ip": [ + "10.12.21.34" + ] + }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 326560, + "ip": "10.1.0.4", + "mac": "02-01-93-9C-98-37", + "packets": 2955, + "port": 57677 + }, "tags": [ "preserve_original_event" ] diff --git a/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml b/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml index ec0c11ff103..c57a3e927ca 100644 --- a/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gigamon/data_stream/ami/elasticsearch/ingest_pipeline/default.yml @@ -12,6 +12,16 @@ processors: - set: field: event.kind value: event + - append: + field: event.category + tag: append_network_into_event_category + value: network + allow_duplicates: false + - append: + field: event.type + tag: append_info_into_event_type + value: info + allow_duplicates: false # process dates on base fields - date: field: gigamon.ami.ts @@ -63,6 +73,34 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.flow_start_sec + target_field: gigamon.ami.flow_start_sec + tag: date_gigamon_ami_flow_start_sec + formats: + - 'yyyy:MM:dd HH:mm:ss' + - ISO8601 + if: ctx.gigamon?.ami?.flow_start_sec != null + on_failure: + - remove: + field: gigamon.ami.flow_start_sec + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: gigamon.ami.flow_end_sec + target_field: gigamon.ami.flow_end_sec + tag: date_gigamon_ami_flow_end_sec + formats: + - 'yyyy:MM:dd HH:mm:ss' + - ISO8601 + if: ctx.gigamon?.ami?.flow_end_sec != null + on_failure: + - remove: + field: gigamon.ami.flow_end_sec + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - date: field: gigamon.ami.ssl_validity_not_before target_field: gigamon.ami.ssl_validity_not_before @@ -111,18 +149,6 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - convert: - field: gigamon.ami.app_id - if: ctx.gigamon?.ami?.app_id != null - tag: convert_app_id - type: long - on_failure: - - remove: - field: gigamon.ami.app_id - ignore_missing: true - - append: - field: error.message - value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - convert: field: gigamon.ami.sys_up_time_first if: ctx.gigamon?.ami?.sys_up_time_first != null @@ -404,6 +430,42 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.tcp_rtt + if: ctx.gigamon?.ami?.tcp_rtt != null + tag: convert_tcp_rtt + type: float + on_failure: + - remove: + field: gigamon.ami.tcp_rtt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.tcp_rtt_app + if: ctx.gigamon?.ami?.tcp_rtt_app != null + tag: convert_tcp_rtt_app + type: float + on_failure: + - remove: + field: gigamon.ami.tcp_rtt_app + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: gigamon.ami.tcp_retransmission_bytes + if: ctx.gigamon?.ami?.tcp_retransmission_bytes != null + tag: convert_tcp_retransmission_bytes + type: long + on_failure: + - remove: + field: gigamon.ami.tcp_retransmission_bytes + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - script: lang: painless description: Gigamon AMI lookup mappings @@ -827,6 +889,346 @@ processors: if (ctx.gigamon.ami.dns_reply_code != null) { ctx.gigamon.ami.dns_reply_code_value = params['dns_reply_code'][ctx.gigamon.ami.dns_reply_code]; } + + - convert: + field: gigamon.ami.dns_response_time + if: ctx.gigamon?.ami?.dns_response_time != null + tag: convert_dns_response_time + type: float + on_failure: + - remove: + field: gigamon.ami.dns_response_time + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: Convert dns_response_time in seconds to nanoseconds for populating event.duration + source: >- + ctx.event.duration = ctx.gigamon.ami.dns_response_time * 1000000000L; + if: ctx.gigamon?.ami?.dns_response_time != null + - set: + field: dns.question.name + tag: set_dns_question_name + copy_from: gigamon.ami.dns_query + if: ctx.gigamon?.ami?.dns_query != null + - set: + field: dns.question.registered_domain + tag: set_dns_question_registered_domain + copy_from: gigamon.ami.dns_name + if: ctx.gigamon?.ami?.dns_name != null + - append: + field: host.ip + tag: set_host_ip + value: "{{{gigamon.ami.dns_host_addr}}}" + if: ctx.gigamon?.ami?.dns_host_addr != null + allow_duplicates: false + - convert: + field: gigamon.ami.dns_ttl + if: ctx.gigamon?.ami?.dns_ttl != null + tag: convert_dns_ttl + type: long + on_failure: + - remove: + field: gigamon.ami.dns_ttl + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: dns.answers.ttl + tag: set_dns_answers.ttl + copy_from: gigamon.ami.dns_ttl + if: ctx.gigamon?.ami?.dns_ttl != null + - set: + field: dns.question.type + tag: set_dns_question_type + copy_from: gigamon.ami.dns_query_type_value + if: ctx.gigamon?.ami?.dns_query_type_value != null + - set: + field: dns.response_code + tag: set_dns_response_code + copy_from: gigamon.ami.dns_reply_code_value + if: ctx.gigamon?.ami?.dns_reply_code_value != null + - set: + field: host.name + tag: set_host_name + copy_from: gigamon.ami.dns_host + if: ctx.gigamon?.ami?.dns_host != null + - set: + field: host.type + tag: set_host_type + copy_from: gigamon.ami.dns_host_type + if: ctx.gigamon?.ami?.dns_host_type!= null + - append: + field: related.ip + tag: set_related_ip + value: "{{{gigamon.ami.dns_reverse_addr}}}" + if: ctx.gigamon?.ami?.dns_reverse_addr != null + allow_duplicates: false + - set: + field: dns.type + tag: set_dns_type + copy_from: gigamon.ami.dns_message_type + if: ctx.gigamon?.ami?.dns_message_type != null + - convert: + field: gigamon.ami.http_rtt + if: ctx.gigamon?.ami?.http_rtt != null + tag: convert_http_rtt + type: float + on_failure: + - remove: + field: gigamon.ami.http_rtt + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: Convert http_rtt in seconds to nanoseconds for populating event.duration + source: >- + ctx.event.duration = ctx.gigamon.ami.http_rtt * 1000000000L; + if: ctx.gigamon?.ami?.http_rtt != null + - set: + field: user_agent.original + tag: set_user_agent_original + copy_from: gigamon.ami.http_user_agent + if: ctx.gigamon?.ami?.http_user_agent != null + - set: + field: http.request.method + tag: set_http_request_method + copy_from: gigamon.ami.http_method + if: ctx.gigamon?.ami?.http_method != null + - set: + field: http.version + tag: set_http_version + copy_from: gigamon.ami.http_version + if: ctx.gigamon?.ami?.http_version != null + - convert: + field: gigamon.ami.http_code + if: ctx.gigamon?.ami?.http_code != null + tag: convert_http_code + type: long + on_failure: + - remove: + field: gigamon.ami.http_code + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: http.response.status_code + tag: set_http_response_status_code + copy_from: gigamon.ami.http_code + if: ctx.gigamon?.ami?.http_code != null + - set: + field: file.extension + tag: set_http_file_extension + copy_from: gigamon.ami.http_file_type + if: ctx.gigamon?.ami?.http_file_type != null + - set: + field: http.request.referrer + tag: set_http_request_referer + copy_from: gigamon.ami.http_referer + if: ctx.gigamon?.ami?.http_referer != null + - set: + field: server.domain + tag: set_server_domain + copy_from: gigamon.ami.http_server + if: ctx.gigamon?.ami?.http_server != null + - set: + field: url.path + tag: set_url_path + copy_from: gigamon.ami.http_uri_path + if: ctx.gigamon?.ami?.http_uri_path != null + - set: + field: url.full + tag: set_url_full + copy_from: gigamon.ami.http_uri + if: ctx.gigamon?.ami?.http_uri != null + - set: + field: host.name + tag: set_host_name + copy_from: gigamon.ami.http_host + if: ctx.gigamon?.ami?.http_host != null + - set: + field: url.original + tag: set_url_original + copy_from: gigamon.ami.http_uri_raw + if: ctx.gigamon?.ami?.http_uri_raw != null + - set: + field: tls.cipher + tag: set_tls_cipher + copy_from: gigamon.ami.ssl_cipher_suite_id_value + if: ctx.gigamon?.ami?.ssl_cipher_suite_id_value != null + - set: + field: tls.client.not_after + tag: set_tls_client_not_after + copy_from: gigamon.ami.ssl_validity_not_after + if: ctx.gigamon?.ami?.ssl_validity_not_after != null + - set: + field: tls.client.not_before + tag: set_tls_client_not_before + copy_from: gigamon.ami.ssl_validity_not_before + if: ctx.gigamon?.ami?.ssl_validity_not_before != null + - set: + field: tls.version_protocol + tag: set_tls_version_protocol + copy_from: gigamon.ami.ssl_protocol_version_value + if: ctx.gigamon?.ami?.ssl_protocol_version_value != null + - set: + field: tls.client.server_name + tag: set_tls_client_server_name + copy_from: gigamon.ami.ssl_common_name + if: ctx.gigamon?.ami?.ssl_common_name != null + - set: + field: tls.client.issuer + tag: set_tls_client_issuer + copy_from: gigamon.ami.ssl_issuer + if: ctx.gigamon?.ami?.ssl_issuer != null + - set: + field: tls.client.subject + tag: set_tls_client_subject + copy_from: gigamon.ami.ssl_certificate_subject_cn + if: ctx.gigamon?.ami?.ssl_certificate_subject_cn != null + - set: + field: source.ip + tag: set_source_ip + copy_from: gigamon.ami.src_ip + if: ctx.gigamon?.ami?.src_ip != null + - set: + field: destination.ip + tag: set_destination_ip + copy_from: gigamon.ami.dst_ip + if: ctx.gigamon?.ami?.dst_ip != null + - set: + field: source.port + tag: set_source_port + copy_from: gigamon.ami.src_port + if: ctx.gigamon?.ami?.src_port != null + - set: + field: destination.port + tag: set_destination_port + copy_from: gigamon.ami.dst_port + if: ctx.gigamon?.ami?.dst_port != null + - set: + field: service.type + tag: set_service_type + copy_from: gigamon.ami.app_name + if: ctx.gigamon?.ami?.app_name != null + - set: + field: event.start + tag: set_event_start + copy_from: gigamon.ami.start_time + if: ctx.gigamon?.ami?.start_time != null + - set: + field: event.end + tag: set_event_end + copy_from: gigamon.ami.end_time + if: ctx.gigamon?.ami?.end_time != null + - set: + field: source.ip + tag: set_source_ip + copy_from: gigamon.ami.src_ipv6 + if: ctx.gigamon?.ami?.src_ipv6 != null + - set: + field: destination.ip + tag: set_destination_ip + copy_from: gigamon.ami.dst_ipv6 + if: ctx.gigamon?.ami?.dst_ipv6 != null + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - set: + field: source.bytes + tag: set_source_bytes + copy_from: gigamon.ami.src_bytes + if: ctx.gigamon?.ami?.src_bytes != null + - set: + field: destination.bytes + tag: set_destination_bytes + copy_from: gigamon.ami.dst_bytes + if: ctx.gigamon?.ami?.dst_bytes != null + - set: + field: source.packets + tag: set_source_packets + copy_from: gigamon.ami.src_packets + if: ctx.gigamon?.ami?.src_packets != null + - set: + field: destination.packets + tag: set_destination_packets + copy_from: gigamon.ami.dst_packets + if: ctx.gigamon?.ami?.dst_packets != null + - set: + field: service.version + tag: set_snmp_version + copy_from: gigamon.ami.snmp_version + if: ctx.gigamon?.ami?.snmp_version != null + - set: + field: service.version + tag: set_smb_version + copy_from: gigamon.ami.smb_version_value + if: ctx.gigamon?.ami?.smb_version_value != null + - set: + field: event.id + tag: set_event_id + copy_from: gigamon.ami.id + if: ctx.gigamon?.ami?.id != null + - set: + field: service.id + tag: set_service.id + copy_from: gigamon.ami.app_id + if: ctx.gigamon?.ami?.app_id != null + - script: + lang: painless + description: Replace ":" in source mac with "-" + source: >- + ctx.source.mac = ctx.gigamon.ami.src_mac.replace(":", "-").toUpperCase(); + if: ctx.gigamon?.ami?.src_mac != null + - script: + lang: painless + description: Replace ":" in destination mac with "-" + source: >- + ctx.destination.mac = ctx.gigamon.ami.dst_mac.replace(":", "-").toUpperCase(); + if: ctx.gigamon?.ami?.dst_mac != null - remove: field: - ts diff --git a/packages/gigamon/data_stream/ami/fields/fields.yml b/packages/gigamon/data_stream/ami/fields/fields.yml index 2f7fb4293b7..bce490c41f2 100644 --- a/packages/gigamon/data_stream/ami/fields/fields.yml +++ b/packages/gigamon/data_stream/ami/fields/fields.yml @@ -7,7 +7,7 @@ - name: seq_num type: long - name: app_id - type: long + type: keyword - name: app_name type: keyword - name: ts @@ -28,6 +28,10 @@ type: date - name: end_time type: date + - name: flow_start_sec + type: date + - name: flow_end_sec + type: date - name: intf_name type: keyword - name: egress_intf_id @@ -51,6 +55,8 @@ type: keyword - name: dst_ip type: ip + - name: dst_ipv6 + type: ip - name: dst_port type: long - name: dst_bytes @@ -61,6 +67,8 @@ type: keyword - name: src_ip type: ip + - name: src_ipv6 + type: ip - name: src_port type: long - name: src_bytes @@ -92,6 +100,10 @@ type: keyword - name: dns_host_raw type: keyword + - name: dns_message_type + type: keyword + - name: dns_tunneling + type: keyword - name: dns_query type: keyword - name: dns_query_type @@ -122,7 +134,7 @@ - name: http_server_agent type: keyword - name: http_rtt - type: keyword + type: double - name: http_code type: long - name: http_content_len @@ -133,6 +145,8 @@ type: keyword - name: http_request_size type: long + - name: http_set_cookie + type: keyword - name: http_host type: keyword - name: http_uri_decoded @@ -143,6 +157,12 @@ type: keyword - name: http_content_type type: keyword + - name: http_content_encoding + type: keyword + - name: http_file_type + type: keyword + - name: http_referer + type: keyword - name: http_method type: keyword - name: http_version @@ -152,6 +172,22 @@ # tcp_ fields - name: tcp_flags type: keyword + - name: tcp_rtt + type: double + - name: tcp_rtt_app + type: double + - name: ip_wrong_crc + type: keyword + - name: snmp_version + type: keyword + - name: tcp_flag_reset + type: keyword + - name: tcp_loss_count + type: keyword + - name: tcp_wrong_crc + type: keyword + - name: tcp_retransmission_bytes + type: long # ssl_ fields - name: ssl_certif_md5 type: keyword @@ -261,3 +297,12 @@ type: keyword - name: ssl_signalization_override type: keyword + # smb fields + - name: smb_command_string + type: keyword + - name: smb_filename + type: keyword + - name: smb_host + type: keyword + - name: smb_path + type: keyword diff --git a/packages/gigamon/data_stream/ami/sample_event.json b/packages/gigamon/data_stream/ami/sample_event.json index d46cb4d50e6..cce91f95390 100644 --- a/packages/gigamon/data_stream/ami/sample_event.json +++ b/packages/gigamon/data_stream/ami/sample_event.json @@ -1,35 +1,61 @@ { "@timestamp": "2023-05-16T15:25:25.000Z", "agent": { - "ephemeral_id": "7733f9fd-539a-4020-a4de-15f1ceb8c4bf", - "id": "47bbeb84-a39b-4490-9208-eada12c773a0", - "name": "elastic-agent-93813", + "ephemeral_id": "680e67f8-f46d-4e04-8e05-1e17eec1ceb4", + "id": "e0946e49-edee-4bff-b50f-68db064a11a8", + "name": "elastic-agent-50093", "type": "filebeat", - "version": "8.17.0" + "version": "8.18.2" }, "data_stream": { "dataset": "gigamon.ami", - "namespace": "46839", + "namespace": "25103", "type": "logs" }, + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "47bbeb84-a39b-4490-9208-eada12c773a0", + "id": "e0946e49-edee-4bff-b50f-68db064a11a8", "snapshot": false, - "version": "8.17.0" + "version": "8.18.2" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], "dataset": "gigamon.ami", - "ingested": "2025-06-03T09:26:56Z", + "end": "2023-12-13T15:25:11.181Z", + "id": "679408454713072647", + "ingested": "2025-07-29T06:24:16Z", "kind": "event", - "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}" + "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}", + "start": "2023-12-13T15:25:11.181Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -75,9 +101,27 @@ "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.101" + ], + "name": "pnstrex-83816.local", + "type": "PTR" + }, "input": { "type": "http_endpoint" }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.101", + "mac": "00-50-56-8D-89-41", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event", "forwarded", diff --git a/packages/gigamon/docs/README.md b/packages/gigamon/docs/README.md index 6dc37cbdff2..cccc9926cf8 100644 --- a/packages/gigamon/docs/README.md +++ b/packages/gigamon/docs/README.md @@ -67,35 +67,61 @@ An example event for `ami` looks as following: { "@timestamp": "2023-05-16T15:25:25.000Z", "agent": { - "ephemeral_id": "7733f9fd-539a-4020-a4de-15f1ceb8c4bf", - "id": "47bbeb84-a39b-4490-9208-eada12c773a0", - "name": "elastic-agent-93813", + "ephemeral_id": "680e67f8-f46d-4e04-8e05-1e17eec1ceb4", + "id": "e0946e49-edee-4bff-b50f-68db064a11a8", + "name": "elastic-agent-50093", "type": "filebeat", - "version": "8.17.0" + "version": "8.18.2" }, "data_stream": { "dataset": "gigamon.ami", - "namespace": "46839", + "namespace": "25103", "type": "logs" }, + "destination": { + "bytes": 0, + "ip": "224.0.0.251", + "mac": "01-00-5E-00-00-FB", + "packets": 0, + "port": 5353 + }, + "dns": { + "answers": { + "ttl": 120 + }, + "question": { + "name": "f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa", + "registered_domain": "a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa", + "type": "*" + } + }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "47bbeb84-a39b-4490-9208-eada12c773a0", + "id": "e0946e49-edee-4bff-b50f-68db064a11a8", "snapshot": false, - "version": "8.17.0" + "version": "8.18.2" }, "event": { "agent_id_status": "verified", + "category": [ + "network" + ], "dataset": "gigamon.ami", - "ingested": "2025-06-03T09:26:56Z", + "end": "2023-12-13T15:25:11.181Z", + "id": "679408454713072647", + "ingested": "2025-07-29T06:24:16Z", "kind": "event", - "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}" + "original": "{\"app_id\":\"32\",\"app_name\":\"dns\",\"device_inbound_interface\":\"0\",\"dns_class\":\"1\",\"dns_flags\":\"0\",\"dns_host\":\"pnstrex-83816.local\",\"dns_host_addr\":\"10.114.82.101\",\"dns_host_class\":\"1\",\"dns_host_raw\":\"706e73747265782d38333831362e6c6f63616c\",\"dns_host_type\":\"PTR\",\"dns_name\":\"a.b.2.b.9.6.c.2.3.9.3.d.6.2.6.a.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. i:p6.arpa\",\"dns_opcode\":\"0\",\"dns_qdcount\":\"4\",\"dns_query\":\"f.7.5.2.e.7.6.2.4.c.1.c.4.c.6.1.0.8.0.2.1.0.0.0.0.0.0.0.b.a.c.f. ip6.arpa\",\"dns_query_type\":\"255\",\"dns_transaction_id\":\"0\",\"dns_ttl\":\"120\",\"dst_bytes\":\"0\",\"dst_ip\":\"224.0.0.251\",\"dst_mac\":\"01:00:5e:00:00:fb\",\"dst_packets\":\"0\",\"dst_port\":\"5353\",\"egress_intf_id\":\"0\",\"end_reason\":\"1\",\"end_time\":\"2023:12:13 15:25:11.181\",\"generator\":\"gs_apps_appInst16_423722da-33ec-1556-b24b-cda2e74a53f6\",\"id\":\"679408454713072647\",\"intf_name\":\"0\",\"ip_version\":\"4\",\"protocol\":\"17\",\"seq_num\":\"656\",\"src_bytes\":\"337\",\"src_ip\":\"10.114.82.101\",\"src_mac\":\"00:50:56:8d:89:41\",\"src_packets\":\"1\",\"src_port\":\"5353\",\"start_time\":\"2023:12:13 15:25:11.181\",\"sys_up_time_first\":\"3497355275\",\"sys_up_time_last\":\"3497355275\",\"ts\":\"Thu May 16 15:25:25 2023\",\"vendor\":\"Gigamon\",\"version\":\"6.5.00\"}", + "start": "2023-12-13T15:25:11.181Z", + "type": [ + "info" + ] }, "gigamon": { "ami": { - "app_id": 32, + "app_id": "32", "app_name": "dns", "device_inbound_interface": "0", "dns_class": "1", @@ -141,9 +167,27 @@ An example event for `ami` looks as following: "version": "6.5.00" } }, + "host": { + "ip": [ + "10.114.82.101" + ], + "name": "pnstrex-83816.local", + "type": "PTR" + }, "input": { "type": "http_endpoint" }, + "service": { + "id": "32", + "type": "dns" + }, + "source": { + "bytes": 337, + "ip": "10.114.82.101", + "mac": "00-50-56-8D-89-41", + "packets": 1, + "port": 5353 + }, "tags": [ "preserve_original_event", "forwarded", @@ -162,7 +206,7 @@ An example event for `ami` looks as following: | data_stream.type | Data stream type. | constant_keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| gigamon.ami.app_id | | long | +| gigamon.ami.app_id | | keyword | | gigamon.ami.app_name | | keyword | | gigamon.ami.device_inbound_interface | | keyword | | gigamon.ami.dns_ancount | | long | @@ -174,6 +218,7 @@ An example event for `ami` looks as following: | gigamon.ami.dns_host_class | | keyword | | gigamon.ami.dns_host_raw | | keyword | | gigamon.ami.dns_host_type | | keyword | +| gigamon.ami.dns_message_type | | keyword | | gigamon.ami.dns_name | | keyword | | gigamon.ami.dns_opcode | | keyword | | gigamon.ami.dns_qdcount | | long | @@ -186,8 +231,10 @@ An example event for `ami` looks as following: | gigamon.ami.dns_reverse_addr | | ip | | gigamon.ami.dns_transaction_id | | long | | gigamon.ami.dns_ttl | | long | +| gigamon.ami.dns_tunneling | | keyword | | gigamon.ami.dst_bytes | | long | | gigamon.ami.dst_ip | | ip | +| gigamon.ami.dst_ipv6 | | ip | | gigamon.ami.dst_mac | | keyword | | gigamon.ami.dst_packets | | long | | gigamon.ami.dst_port | | long | @@ -196,17 +243,23 @@ An example event for `ami` looks as following: | gigamon.ami.end_reason_value | | keyword | | gigamon.ami.end_time | | date | | gigamon.ami.eventType | | keyword | +| gigamon.ami.flow_end_sec | | date | +| gigamon.ami.flow_start_sec | | date | | gigamon.ami.generator | | keyword | | gigamon.ami.http_code | | long | +| gigamon.ami.http_content_encoding | | keyword | | gigamon.ami.http_content_len | | long | | gigamon.ami.http_content_type | | keyword | +| gigamon.ami.http_file_type | | keyword | | gigamon.ami.http_host | | keyword | | gigamon.ami.http_method | | keyword | | gigamon.ami.http_mime_type | | keyword | +| gigamon.ami.http_referer | | keyword | | gigamon.ami.http_request_size | | long | -| gigamon.ami.http_rtt | | keyword | +| gigamon.ami.http_rtt | | double | | gigamon.ami.http_server | | keyword | | gigamon.ami.http_server_agent | | keyword | +| gigamon.ami.http_set_cookie | | keyword | | gigamon.ami.http_uri | | keyword | | gigamon.ami.http_uri_decoded | | keyword | | gigamon.ami.http_uri_full | | keyword | @@ -219,12 +272,19 @@ An example event for `ami` looks as following: | gigamon.ami.id | | keyword | | gigamon.ami.intf_name | | keyword | | gigamon.ami.ip_version | | keyword | +| gigamon.ami.ip_wrong_crc | | keyword | | gigamon.ami.protocol | | keyword | | gigamon.ami.seq_num | | long | +| gigamon.ami.smb_command_string | | keyword | +| gigamon.ami.smb_filename | | keyword | +| gigamon.ami.smb_host | | keyword | +| gigamon.ami.smb_path | | keyword | | gigamon.ami.smb_version | | keyword | | gigamon.ami.smb_version_value | | keyword | +| gigamon.ami.snmp_version | | keyword | | gigamon.ami.src_bytes | | long | | gigamon.ami.src_ip | | ip | +| gigamon.ami.src_ipv6 | | ip | | gigamon.ami.src_mac | | keyword | | gigamon.ami.src_packets | | long | | gigamon.ami.src_port | | long | @@ -285,7 +345,13 @@ An example event for `ami` looks as following: | gigamon.ami.start_time | | date | | gigamon.ami.sys_up_time_first | | long | | gigamon.ami.sys_up_time_last | | long | +| gigamon.ami.tcp_flag_reset | | keyword | | gigamon.ami.tcp_flags | | keyword | +| gigamon.ami.tcp_loss_count | | keyword | +| gigamon.ami.tcp_retransmission_bytes | | long | +| gigamon.ami.tcp_rtt | | double | +| gigamon.ami.tcp_rtt_app | | double | +| gigamon.ami.tcp_wrong_crc | | keyword | | gigamon.ami.ts | | date | | gigamon.ami.vendor | | keyword | | gigamon.ami.version | | keyword | diff --git a/packages/gigamon/manifest.yml b/packages/gigamon/manifest.yml index 5cd63c7beab..b7a0ff1416a 100644 --- a/packages/gigamon/manifest.yml +++ b/packages/gigamon/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.3 name: gigamon title: Gigamon -version: "1.7.0" +version: "2.0.0" description: Collect logs from Gigamon with Elastic Agent. type: integration categories: