From ddbadd56934638e85b34ae215e22a03020ef4d45 Mon Sep 17 00:00:00 2001 From: mohitjha_elastic Date: Mon, 16 Feb 2026 18:11:04 +0530 Subject: [PATCH 1/2] Add benchmark and policy test. --- .../rally/intelligence-benchmark.yml | 14 +++ .../rally/intelligence-benchmark/config.yml | 98 +++++++++++++++++++ .../rally/intelligence-benchmark/fields.yml | 70 +++++++++++++ .../intelligence-benchmark/template.ndjson | 79 +++++++++++++++ .../rally/threatstream-benchmark.yml | 14 +++ .../rally/threatstream-benchmark/config.yml | 83 ++++++++++++++++ .../rally/threatstream-benchmark/fields.yml | 44 +++++++++ .../threatstream-benchmark/template.ndjson | 47 +++++++++ .../system/deploy/docker/docker-compose.yml | 25 +++++ .../system/deploy/docker/files/config.yml | 24 +++++ .../system/intelligence-benchmark.yml | 28 ++++++ .../system/intelligence-benchmark/config.yml | 98 +++++++++++++++++++ .../system/intelligence-benchmark/fields.yml | 72 ++++++++++++++ .../intelligence-benchmark/template.ndjson | 37 +++++++ .../system/threatstream-benchmark.yml | 25 +++++ .../system/threatstream-benchmark/config.yml | 73 ++++++++++++++ .../system/threatstream-benchmark/fields.yml | 44 +++++++++ .../threatstream-benchmark/template.ndjson | 23 +++++ .../_dev/benchmark/pipeline/config.yml | 1 + .../pipeline/intellegence-sample.log | 4 + .../_dev/test/policy/test-all.expected | 68 +++++++++++++ .../_dev/test/policy/test-all.yml | 49 ++++++++++ .../_dev/test/policy/test-default.expected | 54 ++++++++++ .../_dev/test/policy/test-default.yml | 4 + .../_dev/benchmark/pipeline/config.yml | 1 + .../pipeline/intellegence-sample.log | 5 + .../_dev/test/policy/test-all.expected | 60 ++++++++++++ .../_dev/test/policy/test-all.yml | 23 +++++ .../_dev/test/policy/test-default.expected | 46 +++++++++ .../_dev/test/policy/test-default.yml | 3 + 30 files changed, 1216 insertions(+) create mode 100644 packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/config.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/fields.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/template.ndjson create mode 100644 packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/config.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/fields.yml create mode 100644 packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/template.ndjson create mode 100644 packages/ti_anomali/_dev/benchmark/system/deploy/docker/docker-compose.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/deploy/docker/files/config.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/config.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/fields.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/template.ndjson create mode 100644 packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/config.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/fields.yml create mode 100644 packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/template.ndjson create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/config.yml create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/intellegence-sample.log create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.expected create mode 100644 packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.yml create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/config.yml create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/intellegence-sample.log create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.expected create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.yml create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.expected create mode 100644 packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.yml diff --git a/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark.yml b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark.yml new file mode 100644 index 00000000000..290035d0f92 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 100000 anomali.intelligence events ingested. +data_stream: + name: intelligence +corpora: + generator: + total_events: 100000 + template: + type: gotext + path: ./intelligence-benchmark/template.ndjson + config: + path: ./intelligence-benchmark/config.yml + fields: + path: ./intelligence-benchmark/fields.yml diff --git a/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/config.yml b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/config.yml new file mode 100644 index 00000000000..a221519c630 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/config.yml @@ -0,0 +1,98 @@ +fields: + - name: confidence + cardinility: 100 + - name: created_by + period: -24h + - name: created_ts + period: -24h + - name: expiration_ts + period: -24h + - name: feed_id + cardinility: 1000000 + - name: id + cardinility: 1000000 + - name: itype + enum: + - mal_ip + - mal_domain + - mal_url + - parked_ip + - parked_email + - parked_url + - name: meta_detail2 + enum: + - imported by user 142 + - imported by user 143 + - name: meta_severity + enum: + - low + - medium + - high + - very-high + - name: modified_ts + period: -24h + - name: org + enum: + - Domains by Proxy, LLC + - Alicloud-hk + - name: owner_organization_id + cardinility: 1000000 + - name: resource_uri + enum: + - "/api/v2/intelligence/232020126/" + - "/api/v2/intelligence/235548914/" + - "/api/v2/intelligence/184982668/" + - name: retina_confidence + cardinility: 100 + - name: sort + cardinility: 1000000 + - name: source + enum: + - Analyst + - Default Organization + - name: source_reported_confidence + cardinility: 100 + - name: status + enum: + - active + - inactive + - name: tags_id + cardinility: 1000000 + - name: tags_name + enum: + - Domains-contacted-by-samples-which-do-public-IP-checks. + - public-ip-check-dns + - md5-3d4bf45cc1648d76f9770c7c27afc4b8 + - name: threat_type + enum: + - bot + - apt + - c2 + - i2p + - malware + - name: threatscore + cardinility: 100 + - name: timestamp + period: -24h + - name: tlp + enum: + - WHITE + - AMBER + - name: trusted_circle_ids + cardinility: 1000000 + - name: type + enum: + - domain + - ip + - url + - name: update_id + cardinility: 1000000 + - name: uuid + cardinility: 1000000 + - name: value + enum: + - "test_mail_remote@test.com" + - "test_mail_remote2@test.com" + - "test_mail_remote3@test.com" + - "test_mail_remote4@test.com" + - "test_mail_remote5@test.com" diff --git a/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/fields.yml b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/fields.yml new file mode 100644 index 00000000000..22df57a0284 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/fields.yml @@ -0,0 +1,70 @@ +- name: asn + type: keyword +- name: can_add_public_tags + type: boolean +- name: confidence + type: long +- name: created_by + type: keyword +- name: created_ts + type: date +- name: description + type: keyword +- name: expiration_ts + type: date +- name: feed_id + type: long +- name: id + type: long +- name: is_anonymous + type: boolean +- name: is_public + type: boolean +- name: itype + type: keyword +- name: meta_detail2 + type: keyword +- name: meta_severity + type: keyword +- name: modified_ts + type: keyword +- name: org + type: keyword +- name: owner_organization_id + type: long +- name: resource_uri + type: keyword +- name: retina_confidence + type: long +- name: sort + type: long +- name: source + type: keyword +- name: source_reported_confidence + type: long +- name: status + type: keyword +- name: subtype + type: keyword +- name: tags_id + type: keyword +- name: tags_name + type: keyword +- name: threat_type + type: keyword +- name: threatscore + type: long +- name: timestamp + type: date +- name: tlp + type: keyword +- name: trusted_circle_ids + type: keyword +- name: type + type: keyword +- name: update_id + type: long +- name: uuid + type: keyword +- name: value + type: keyword diff --git a/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/template.ndjson b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/template.ndjson new file mode 100644 index 00000000000..f247ebda008 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/intelligence-benchmark/template.ndjson @@ -0,0 +1,79 @@ +{{- $timestamp := generate "timestamp" -}} +{{- $source := generate "source" -}} +{{- $threatscore := generate "threatscore" -}} +{{- $threat_type := generate "threat_type" -}} +{{- $trusted_circle_ids := generate "trusted_circle_ids" -}} +{{- $description := generate "description" -}} +{{- $sort := generate "sort" -}} +{{- $resource_uri := generate "resource_uri" -}} +{{- $modified_ts := generate "modified_ts" -}} +{{- $update_id := generate "update_id" -}} +{{- $source_reported_confidence := generate "source_reported_confidence" -}} +{{- $type := generate "type" -}} +{{- $uuid := generate "uuid" -}} +{{- $feed_id := generate "feed_id" -}} +{{- $retina_confidence := generate "retina_confidence" -}} +{{- $created_ts := generate "created_ts" -}} +{{- $id := generate "id" -}} +{{- $value := generate "value" -}} +{{- $itype := generate "itype" -}} +{{- $org := generate "org" -}} +{{- $confidence := generate "confidence" -}} +{{- $expiration_ts := generate "expiration_ts" -}} +{{- $owner_organization_id := generate "owner_organization_id" -}} +{{- $meta_severity := generate "meta_severity" -}} +{{- $meta_detail2 := generate "meta_detail2" -}} +{{- $is_anonymous := generate "is_anonymous" -}} +{{- $is_public := generate "is_public" -}} +{{- $asn := generate "asn" -}} +{{- $status := generate "status" -}} +{{- $tags_id := generate "tags_id" -}} +{{- $tags_name := generate "tags_name" -}} +{{- $can_add_public_tags := generate "can_add_public_tags" -}} +{{- $subtype := generate "subtype" -}} +{{- $tlp := generate "tlp" -}} +{{- $created_by := generate "created_by" -}} +{ + "json": { + "source": "{{ $source }}", + "threatscore": {{ $threatscore }}, + "threat_type": "{{ $threat_type }}", + "trusted_circle_ids": "{{ $trusted_circle_ids }}", + "description": "{{ $description }}", + "sort": [{{ $sort }}], + "resource_uri": "{{ $resource_uri }}", + "modified_ts": "{{ $modified_ts }}", + "update_id": {{ $update_id }}, + "source_reported_confidence": {{ $source_reported_confidence }}, + "type": "{{ $type }}", + "uuid": "{{ $uuid }}", + "feed_id": {{ $feed_id }}, + "retina_confidence": {{ $retina_confidence }}, + "created_ts": "{{ $created_ts }}", + "id": {{ $id }}, + "value": "{{ $value }}", + "itype": "{{ $itype }}", + "org": "{{ $org }}", + "confidence": {{ $confidence }}, + "expiration_ts": "{{ $expiration_ts }}", + "owner_organization_id": {{ $owner_organization_id }}, + "meta": { + "severity": "{{ $meta_severity }}", + "detail2": "{{ $meta_detail2 }}" + }, + "is_anonymous": {{ $is_anonymous }}, + "is_public": {{ $is_public }}, + "asn": "{{ $asn }}", + "status": "{{ $status }}", + "tags": [ + { + "id": "{{ $tags_id }}", + "name": "{{ $tags_name }}" + } + ], + "can_add_public_tags": {{ $can_add_public_tags }}, + "subtype": "{{ $subtype }}", + "tlp": "{{ $tlp }}", + "created_by": "{{ $created_by }}" + } +} diff --git a/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark.yml b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark.yml new file mode 100644 index 00000000000..8ccd640255a --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark.yml @@ -0,0 +1,14 @@ +--- +description: Benchmark 100000 anomali.threatstream events ingested. +data_stream: + name: threatstream +corpora: + generator: + total_events: 100000 + template: + type: gotext + path: ./threatstream-benchmark/template.ndjson + config: + path: ./threatstream-benchmark/config.yml + fields: + path: ./threatstream-benchmark/fields.yml diff --git a/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/config.yml b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/config.yml new file mode 100644 index 00000000000..cd5efc6c1ff --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/config.yml @@ -0,0 +1,83 @@ +fields: + - name: added_at + period: -24h + - name: classification + enum: + - private + - public + - name: confidence + cardinality: 100 + - name: country + enum: + - US + - DE + - IN + - VS + - RU + - name: date_first + period: -24h + - name: date_last + period: -24h + - name: detail + enum: + - phish-kit-sig-id-43111996,Microsoft + - first_seen=2020-04-13T09:30:20,IP=192.168.113.221,ciib,o2d,mask=192.168.2.110,popularity=high + - 32-bit,date_added=2020-10-09T15:44:05,elf,mips + - gnh7,Botnet-DRZ8-,popularity=low,type=2,first_seen=2020-01-07T01:38:35,Botnet-WSPDZDY,mask=192.168.113.180,popularity=low,threat=gu3wn7 + - name: detail2 + enum: + - imported by user 1 + - imported by user 710 + - name: id + cardinality: 1000000 + - name: itype + enum: + - mal_md5 + - phish_url + - scan_ip + - mal_url + - mal_domain + - name: lat + cardinality: 100 + - name: maltype + enum: + - phish-kit-sig-id-43111996 + - 32-bit + - malware:mi5n + - name: resource_uri + enum: + - /api/v1/intelligence/P29675942316/ + - /api/v1/intelligence/22222/ + - /api/v1/intelligence/111111/ + - name: severity + enum: + - very-high + - high + - medium + - low + - name: source + enum: + - Default Organization + - Phony generated indicator + - name: source_feed_id + cardinality: 1000000 + - name: state + value: active + - name: timestamp + period: -24h + - name: trusted_circle_ids + cardinality: 1000000 + - name: update_id + cardinality: 1000000 + - name: url + enum: + - http://onv7s.example.org/29j3q7kc/4l0za3s?viyrr-vd=hde + - http://ureumt8.example.org/ffey/ugwd?770694=x4r5wc-k + - https://5wcz6kck.example.net/mankgvtpl/1suq?vx-gvh=00tc4 + - https://v6cw8.example.org/yw7fom/x6xp?3ck=i3ko4 + - http://tccdg3.example.net/2vgsz9a/9tzk9?xsy9af-=jz3ibf + - name: value_type + enum: + - url + - ip + - domain diff --git a/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/fields.yml b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/fields.yml new file mode 100644 index 00000000000..24b06565f58 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/fields.yml @@ -0,0 +1,44 @@ +- name: added_at + type: date +- name: classification + type: keyword +- name: confidence + type: integer +- name: country + type: keyword +- name: date_first + type: date +- name: date_last + type: date +- name: detail + type: keyword +- name: detail2 + type: keyword +- name: id + type: integer +- name: itype + type: keyword +- name: lat + type: float +- name: maltype + type: keyword +- name: resource_uri + type: keyword +- name: severity + type: keyword +- name: source + type: keyword +- name: source_feed_id + type: integer +- name: state + type: keyword +- name: timestamp + type: date +- name: trusted_circle_ids + type: keyword +- name: update_id + type: integer +- name: url + type: keyword +- name: value_type + type: keyword diff --git a/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/template.ndjson b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/template.ndjson new file mode 100644 index 00000000000..90f50ad2d77 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/rally/threatstream-benchmark/template.ndjson @@ -0,0 +1,47 @@ +{{- $timestamp := generate "timestamp" -}} +{{- $added_at := generate "added_at" -}} +{{- $classification := generate "classification" -}} +{{- $confidence := generate "confidence" -}} +{{- $country := generate "country" -}} +{{- $date_first := generate "date_first" -}} +{{- $date_last := generate "date_last" -}} +{{- $detail := generate "detail" -}} +{{- $detail2 := generate "detail2" -}} +{{- $id := generate "id" -}} +{{- $itype := generate "itype" -}} +{{- $lat := generate "lat" -}} +{{- $maltype := generate "maltype" -}} +{{- $resource_uri := generate "resource_uri" -}} +{{- $severity := generate "severity" -}} +{{- $source := generate "source" -}} +{{- $source_feed_id := generate "source_feed_id" -}} +{{- $state := generate "state" -}} +{{- $trusted_circle_ids := generate "trusted_circle_ids" -}} +{{- $update_id := generate "update_id" -}} +{{- $url := generate "url" -}} +{{- $value_type := generate "value_type" -}} +{ + "json": { + "added_at": "{{ $added_at.Format "2006-01-02T15:04:05.999999Z07:00" }}", + "classification": "{{ $classification }}", + "confidence": {{ $confidence }}, + "country": "{{ $country }}", + "date_first": "{{ $date_first.Format "2006-01-02T15:04:05.999999Z07:00" }}", + "date_last": "{{ $date_last.Format "2006-01-02T15:04:05.999999Z07:00" }}", + "detail": "{{ $detail }}", + "detail2": "{{ $detail2 }}", + "id": {{ $id }}, + "itype": "{{ $itype }}", + "lat": "{{ $lat }}", + "maltype": "{{ $maltype }}", + "resource_uri": "{{ $resource_uri }}", + "severity": "{{ $severity }}", + "source": "{{ $source }}", + "source_feed_id": {{ $source_feed_id }}, + "state": "{{ $state }}", + "trusted_circle_ids": "{{ $trusted_circle_ids }}", + "update_id": {{ $update_id }}, + "url": "{{ $url }}", + "value_type": "{{ $value_type }}" + } +} diff --git a/packages/ti_anomali/_dev/benchmark/system/deploy/docker/docker-compose.yml b/packages/ti_anomali/_dev/benchmark/system/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..fce54bc7d60 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/deploy/docker/docker-compose.yml @@ -0,0 +1,25 @@ +version: "2.3" +services: + intelligence: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: intelligence + ports: + - 8080 + volumes: + - ./files:/files:ro + - ${SERVICE_LOGS_DIR}:/var/log + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml + threatstream: + image: docker.elastic.co/observability/stream:v0.20.0 + volumes: + - ${SERVICE_LOGS_DIR}:/var/log + environment: + - STREAM_PROTOCOL=webhook + - STREAM_WEBHOOK_PROBE=false + - STREAM_ADDR=http://elastic-agent:9080/ + command: log --webhook-content-type application/x-ndjson --start-signal=SIGHUP --delay=10s /var/log/corpus-* diff --git a/packages/ti_anomali/_dev/benchmark/system/deploy/docker/files/config.yml b/packages/ti_anomali/_dev/benchmark/system/deploy/docker/files/config.yml new file mode 100644 index 00000000000..bf3a3c3ed93 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/deploy/docker/files/config.yml @@ -0,0 +1,24 @@ +rules: + - path: /api/v2/intelligence/ + methods: ["GET"] + responses: + - status_code: 200 + body: |- + { + "objects": [ + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"update_id":100000009,"target_industry":[],"source":"Analyst","threatscore":0,"threat_type":"i2p","trusted_circle_ids":null,"description":null,"workgroups":[],"sort":[528280279],"resource_uri":"/api/v2/intelligence/235549249/","modified_ts":"2021-07-28T16:10:01.614Z","source_reported_confidence":-1,"type":"ip","uuid":"97116f93-a68d-4fe3-a108-0e9876933670","feed_id":0,"retina_confidence":-1,"created_ts":"2021-04-29T16:02:24.881Z","id":235549249,"value":"67.43.156.251","itype":"i2p_ip","org":"","ip":"67.43.156.251","confidence":-1,"expiration_ts":"2021-07-28T16:02:24.633Z","owner_organization_id":70,"meta":{"severity":"medium","detail2":"bifocals_deactivated_on_2021-07-28_16:10:00.097108"},"is_anonymous":false,"is_public":true,"asn":"","status":"inactive","tags":null,"can_add_public_tags":true,"subtype":null,"tlp":null,"created_by":null,"rdns":null,"is_editable":false,"locations":[],"source_locations":[]} + ], + "meta": { + "offset": 0, + "limit": 3, + "total_count": 3, + "next": null, + "took": 1 + } + } diff --git a/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark.yml b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark.yml new file mode 100644 index 00000000000..ca2322eda08 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark.yml @@ -0,0 +1,28 @@ +--- +description: Benchmark 100000 intelligence events ingested. +input: cel +vars: ~ +data_stream: + name: intelligence + vars: + username: test_username + api_key: test_api_key + url: http://svc-intelligence:8080 + interval: 5m + initial_interval: 24h + page_size: 3 + enable_request_tracer: true + preserve_original_event: true +warmup_time_period: 10s +corpora: + input_service: + name: intelligence + generator: + total_events: 100000 + template: + path: ./intelligence-benchmark/template.ndjson + type: gotext + config: + path: ./intelligence-benchmark/config.yml + fields: + path: ./intelligence-benchmark/fields.yml diff --git a/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/config.yml b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/config.yml new file mode 100644 index 00000000000..92bf7973db4 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/config.yml @@ -0,0 +1,98 @@ +fields: + - name: asn + cardinility: 100 + - name: confidence + cardinility: 100 + - name: created_ts + period: -24h + - name: expiration_ts + period: -24h + - name: feed_id + cardinility: 1000000 + - name: id + cardinility: 1000000 + - name: itype + enum: + - mal_ip + - mal_domain + - mal_url + - parked_ip + - phish_email + - phish_url + - name: meta_detail2 + enum: + - imported by user 142 + - imported by user 143 + - name: meta_severity + enum: + - low + - medium + - high + - very-high + - name: modified_ts + period: -24h + - name: org + enum: + - Domains by Proxy, LLC + - Alicloud-hk + - name: owner_organization_id + cardinility: 1000000 + - name: resource_uri + enum: + - "/api/v2/intelligence/232020126/" + - "/api/v2/intelligence/235548914/" + - "/api/v2/intelligence/184982668/" + - name: retina_confidence + cardinility: 100 + - name: sort + cardinility: 1000000 + - name: source + enum: + - Analyst + - Default Organization + - name: source_reported_confidence + cardinility: 100 + - name: status + enum: + - active + - inactive + - name: subtype + value: MD5 + - name: tags_id + cardinility: 1000000 + - name: tags_name + enum: + - Domains-contacted-by-samples-which-do-public-IP-checks. + - public-ip-check-dns + - md5-3d4bf45cc1648d76f9770c7c27afc4b8 + - name: threat_type + enum: + - bot + - apt + - c2 + - i2p + - malware + - name: threatscore + cardinility: 100 + - name: tlp + enum: + - WHITE + - AMBER + - name: trusted_circle_ids + cardinility: 1000000 + - name: type + enum: + - domain + - ip + - url + - name: update_id + cardinility: 1000000 + - name: uuid + cardinility: 1000000 + - name: value + enum: + - "test_mail_remote@test.com" + - "test_mail_remote2@test.com" + - "test_mail_remote3@test.com" + - "test_mail_remote4@test.com" + - "test_mail_remote5@test.com" diff --git a/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/fields.yml b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/fields.yml new file mode 100644 index 00000000000..3f7940c88c6 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/fields.yml @@ -0,0 +1,72 @@ +- name: asn + type: long +- name: can_add_public_tags + type: boolean +- name: confidence + type: integer +- name: created_by + type: keyword +- name: created_ts + type: date +- name: description + type: keyword +- name: expiration_ts + type: date +- name: feed_id + type: integer +- name: id + type: integer +- name: ip + type: ip +- name: is_anonymous + type: boolean +- name: is_public + type: boolean +- name: itype + type: keyword +- name: meta_detail2 + type: keyword +- name: meta_severity + type: keyword +- name: modified_ts + type: date +- name: org + type: keyword +- name: owner_organization_id + type: integer +- name: rdns + type: keyword +- name: resource_uri + type: keyword +- name: retina_confidence + type: integer +- name: sort + type: integer +- name: source + type: keyword +- name: source_reported_confidence + type: integer +- name: status + type: keyword +- name: subtype + type: keyword +- name: tags_id + type: keyword +- name: tags_name + type: keyword +- name: threat_type + type: keyword +- name: threatscore + type: integer +- name: tlp + type: keyword +- name: trusted_circle_ids + type: keyword +- name: type + type: keyword +- name: update_id + type: integer +- name: uuid + type: keyword +- name: value + type: keyword diff --git a/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/template.ndjson b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/template.ndjson new file mode 100644 index 00000000000..a2f268f08e9 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/intelligence-benchmark/template.ndjson @@ -0,0 +1,37 @@ +{{- $update_id := generate "update_id" -}} +{{- $source := generate "source" -}} +{{- $threatscore := generate "threatscore" -}} +{{- $threat_type := generate "threat_type" -}} +{{- $trusted_circle_ids := generate "trusted_circle_ids" -}} +{{- $description := generate "description" -}} +{{- $sort := generate "sort" -}} +{{- $resource_uri := generate "resource_uri" -}} +{{- $modified_ts := generate "modified_ts" -}} +{{- $source_reported_confidence := generate "source_reported_confidence" -}} +{{- $type := generate "type" -}} +{{- $uuid := generate "uuid" -}} +{{- $feed_id := generate "feed_id" -}} +{{- $retina_confidence := generate "retina_confidence" -}} +{{- $created_ts := generate "created_ts" -}} +{{- $id := generate "id" -}} +{{- $value := generate "value" -}} +{{- $itype := generate "itype" -}} +{{- $org := generate "org" -}} +{{- $ip := generate "ip" -}} +{{- $confidence := generate "confidence" -}} +{{- $expiration_ts := generate "expiration_ts" -}} +{{- $owner_organization_id := generate "owner_organization_id" -}} +{{- $meta_severity := generate "meta_severity" -}} +{{- $meta_detail2 := generate "meta_detail2" -}} +{{- $is_anonymous := generate "is_anonymous" -}} +{{- $is_public := generate "is_public" -}} +{{- $asn := generate "asn" -}} +{{- $status := generate "status" -}} +{{- $tags_id := generate "tags_id" -}} +{{- $tags_name := generate "tags_name" -}} +{{- $can_add_public_tags := generate "can_add_public_tags" -}} +{{- $subtype := generate "subtype" -}} +{{- $tlp := generate "tlp" -}} +{{- $created_by := generate "created_by" -}} +{{- $rdns := generate "rdns" -}} +{"update_id": {{ $update_id }},"source": "{{ $source }}","threatscore": {{ $threatscore }},"threat_type": "{{ $threat_type }}","trusted_circle_ids": "{{ $trusted_circle_ids }}","description": "{{ $description }}","sort": [{{ $sort }}],"resource_uri": "{{ $resource_uri }}","modified_ts": "{{ $modified_ts.Format "2006-01-02T15:04:05.999999Z07:00" }}","source_reported_confidence": {{ $source_reported_confidence }},"type": "{{ $type }}","uuid": "{{ $uuid }}","feed_id": {{ $feed_id }},"retina_confidence": {{ $retina_confidence }},"created_ts": "{{ $created_ts.Format "2006-01-02T15:04:05.999999Z07:00" }}","id": {{ $id }},"value": "{{ $value }}","itype": "{{ $itype }}","org": "{{ $org }}","ip": "{{ $ip }}","confidence": {{ $confidence }},"expiration_ts": "{{ $expiration_ts.Format "2006-01-02T15:04:05.999999Z07:00" }}","owner_organization_id": {{ $owner_organization_id }},"meta": {"severity": "{{ $meta_severity }}","detail2": "{{ $meta_detail2 }}"},"is_anonymous": {{ $is_anonymous }},"is_public": {{ $is_public }},"asn": "{{ $asn }}","status": "{{ $status }}","tags": [{"id": "{{ $tags_id }}", "name": "{{ $tags_name }}"}],"can_add_public_tags": {{ $can_add_public_tags }},"subtype": "{{ $subtype }}","tlp": "{{ $tlp }}","created_by": "{{ $created_by }}","rdns": "{{ $rdns }}"}, diff --git a/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark.yml b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark.yml new file mode 100644 index 00000000000..f79af682481 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark.yml @@ -0,0 +1,25 @@ +--- +description: Benchmark 100000 threatstream events ingested. +input: http_endpoint +vars: ~ +data_stream: + name: threatstream + vars: + listen_address: 0.0.0.0 + listen_port: 9080 + ioc_expiration_duration: 5d + preserve_original_event: true +warmup_time_period: 10s +corpora: + input_service: + name: threatstream + signal: SIGHUP + generator: + total_events: 100000 + template: + path: ./threatstream-benchmark/template.ndjson + type: gotext + config: + path: ./threatstream-benchmark/config.yml + fields: + path: ./threatstream-benchmark/fields.yml diff --git a/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/config.yml b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/config.yml new file mode 100644 index 00000000000..a4412c7c246 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/config.yml @@ -0,0 +1,73 @@ +fields: + - name: added_at + period: -24h + - name: classification + enum: + - "private" + - "public" + - name: confidence + cardinality: 100 + - name: country + enum: + - US + - DE + - IN + - VS + - RU + - name: date_first + period: -24h + - name: date_last + period: -24h + - name: detail2 + enum: + - imported by user 1 + - imported by user 710 + - name: id + cardinality: 1000000 + - name: import_session_id + cardinality: 1000000 + - name: itype + enum: + - mal_md5 + - phish_url + - scan_ip + - mal_url + - mal_domain + - name: lat + cardinality: 100 + - name: lon + cardinality: 100 + - name: org + enum: + - Example Org + - Test Organization + - name: resource_uri + enum: + - /api/v1/intelligence/P29675942316/ + - /api/v1/intelligence/22222/ + - /api/v1/intelligence/111111/ + - name: severity + enum: + - very-high + - high + - medium + - low + - name: source + enum: + - Default Organization + - Phony generated indicator + - name: source_feed_id + cardinality: 1000000 + - name: state + enum: + - active + - inactive + - name: trusted_circle_ids + cardinality: 1000000 + - name: update_id + cardinality: 1000000 + - name: value_type + enum: + - url + - ip + - domain diff --git a/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/fields.yml b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/fields.yml new file mode 100644 index 00000000000..e5d40f9b04c --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/fields.yml @@ -0,0 +1,44 @@ +- name: added_at + type: date +- name: classification + type: keyword +- name: confidence + type: long +- name: country + type: keyword +- name: date_first + type: date +- name: date_last + type: date +- name: detail2 + type: keyword +- name: id + type: long +- name: import_session_id + type: long +- name: itype + type: keyword +- name: lat + type: float +- name: lon + type: float +- name: org + type: keyword +- name: resource_uri + type: keyword +- name: severity + type: keyword +- name: source + type: keyword +- name: source_feed_id + type: long +- name: srcip + type: keyword +- name: state + type: keyword +- name: trusted_circle_ids + type: keyword +- name: update_id + type: long +- name: value_type + type: keyword diff --git a/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/template.ndjson b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/template.ndjson new file mode 100644 index 00000000000..6b3f06e6c99 --- /dev/null +++ b/packages/ti_anomali/_dev/benchmark/system/threatstream-benchmark/template.ndjson @@ -0,0 +1,23 @@ +{{- $confidence := generate "confidence" -}} +{{- $itype := generate "itype" -}} +{{- $severity := generate "severity" -}} +{{- $classification := generate "classification" -}} +{{- $srcip := generate "srcip" -}} +{{- $country := generate "country" -}} +{{- $update_id := generate "update_id" -}} +{{- $lon := generate "lon" -}} +{{- $id := generate "id" -}} +{{- $source := generate "source" -}} +{{- $state := generate "state" -}} +{{- $detail2 := generate "detail2" -}} +{{- $trusted_circle_ids := generate "trusted_circle_ids" -}} +{{- $import_session_id := generate "import_session_id" -}} +{{- $lat := generate "lat" -}} +{{- $org := generate "org" -}} +{{- $value_type := generate "value_type" -}} +{{- $source_feed_id := generate "source_feed_id" -}} +{{- $date_first := generate "date_first" -}} +{{- $date_last := generate "date_last" -}} +{{- $resource_uri := generate "resource_uri" -}} +{{- $added_at := generate "added_at" -}} +{"confidence": {{ $confidence }}, "itype": "{{ $itype }}", "severity": "{{ $severity }}", "classification": "{{ $classification }}", "srcip": "{{ $srcip }}", "country": "{{ $country }}", "update_id": {{ $update_id }}, "lon": "{{ $lon }}", "id": {{ $id }}, "source": "{{ $source }}", "state": "{{ $state }}", "detail2": "{{ $detail2 }}", "trusted_circle_ids": "{{ $trusted_circle_ids }}", "import_session_id": {{ $import_session_id }}, "lat": "{{ $lat }}", "org": "{{ $org }}", "value_type": "{{ $value_type }}", "source_feed_id": {{ $source_feed_id }}, "date_first": "{{ $date_first.Format "2006-01-02T15:04:05.999999Z07:00" }}", "date_last": "{{ $date_last.Format "2006-01-02T15:04:05.999999Z07:00" }}", "resource_uri": "{{ $resource_uri }}", "added_at": "{{ $added_at.Format "2006-01-02T15:04:05.999999Z07:00" }}"} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/config.yml b/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/config.yml new file mode 100644 index 00000000000..30a2b50cf64 --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/config.yml @@ -0,0 +1 @@ +num_docs: 10000 diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/intellegence-sample.log b/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/intellegence-sample.log new file mode 100644 index 00000000000..129a3da1503 --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/benchmark/pipeline/intellegence-sample.log @@ -0,0 +1,4 @@ +{"json": {"target_industry": [], "source": "Analyst", "threatscore": 54, "threat_type": "apt", "trusted_circle_ids": null, "description": null, "workgroups": [], "sort": [455403032], "resource_uri": "/api/v2/intelligence/232020126/", "modified_ts": "2021-04-06T09:56:22.915Z", "update_id": 455403032, "source_reported_confidence": 60, "type": "domain", "uuid": "0921be47-9cc2-4265-b896-c62a7cb91042", "feed_id": 0, "retina_confidence": -1, "created_ts": "2021-04-06T09:56:22.915Z", "id": 232020126, "value": "gen1xyz.com", "itype": "apt_domain", "org": "", "confidence": 60, "expiration_ts": "9999-12-31T00:00:00.000Z", "owner_organization_id": 67, "meta": {"severity": "very-high", "detail2": "imported by user 136"}, "is_anonymous": false, "is_public": true, "asn": "", "status": "active", "tags": null, "can_add_public_tags": true, "subtype": null, "tlp": null, "created_by": null, "rdns": null, "is_editable": false, "locations": [], "source_locations": []}} +{"json": {"target_industry": [], "source": "Analyst", "threatscore": 9, "threat_type": "apt", "trusted_circle_ids": null, "description": null, "workgroups": [], "sort": [467407026], "resource_uri": "/api/v2/intelligence/235548914/", "modified_ts": "2021-04-29T16:00:35.529Z", "update_id": 467407026, "source_reported_confidence": 12, "type": "email", "uuid": "bc5a223e-f7a1-4acb-b50b-c81395e34218", "feed_id": 0, "retina_confidence": -1, "created_ts": "2021-04-29T16:00:35.529Z", "id": 235548914, "value": "edc2@wsx.com", "itype": "apt_email", "org": "", "confidence": 12, "expiration_ts": "9999-12-31T00:00:00.000Z", "owner_organization_id": 70, "meta": {"severity": "medium", "detail2": "imported by user 142"}, "is_anonymous": false, "is_public": true, "asn": "", "status": "active", "tags": null, "can_add_public_tags": true, "subtype": null, "tlp": null, "created_by": null, "rdns": null, "is_editable": false, "locations": [], "source_locations": []}} +{"json": {"target_industry": [], "source": "Analyst", "threatscore": 0, "threat_type": "apt", "trusted_circle_ids": null, "description": null, "workgroups": [], "sort": [467409119], "resource_uri": "/api/v2/intelligence/235549247/", "modified_ts": "2021-04-29T16:02:17.558Z", "update_id": 467409119, "source_reported_confidence": -1, "type": "ip", "uuid": "463f01f8-7675-4caa-a6aa-db2fb3787b09", "feed_id": 0, "retina_confidence": -1, "created_ts": "2021-04-29T16:02:17.558Z", "id": 235549247, "value": "89.160.20.176", "itype": "apt_ip", "org": "", "ip": "89.160.20.176", "confidence": -1, "expiration_ts": "9999-12-31T00:00:00.000Z", "owner_organization_id": 70, "meta": {"severity": "very-high", "detail2": "imported by user 142"}, "is_anonymous": false, "is_public": true, "asn": "", "status": "active", "tags": null, "can_add_public_tags": true, "subtype": null, "tlp": null, "created_by": null, "rdns": null, "is_editable": false, "locations": [], "source_locations": []}} +{"json": {"target_industry": [], "source": "Default Organization", "threatscore": 25, "threat_type": "bot", "trusted_circle_ids": [10015], "description": null, "workgroups": [], "sort": [376544052], "resource_uri": "/api/v2/intelligence/184983050/", "modified_ts": "2020-10-09T18:30:14.901Z", "update_id": 376544052, "country": "CN", "source_reported_confidence": 100, "latitude": 34.7725, "type": "ip", "uuid": "c7e4fd9e-b4c0-4c20-83f2-9415ff671a19", "feed_id": 0, "retina_confidence": -1, "created_ts": "2020-10-09T18:30:14.901Z", "id": 184983050, "value": "216.160.83.63", "itype": "bot_ip", "org": "", "ip": "216.160.83.63", "confidence": 100, "expiration_ts": "2318-07-09T20:41:16.995Z", "owner_organization_id": 1, "meta": {"severity": "low", "detail2": "imported by user 1"}, "is_anonymous": false, "is_public": false, "asn": "", "status": "active", "tags": null, "can_add_public_tags": true, "subtype": null, "tlp": null, "created_by": null, "rdns": null, "is_editable": false, "locations": [], "source_locations": []}} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected new file mode 100644 index 00000000000..880495196bb --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected @@ -0,0 +1,68 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: ti_anomali + name: test-all-ti_anomali + streams: + - config_version: 2 + data_stream: + dataset: ti_anomali.intelligence + fields: + _conf: + ioc_duration_before_deletion: 90d + fields_under_root: true + interval: 5m + processors: + - add_fields: + fields: + id: "574734885120952459" + name: myproject + target: project + - add_tags: + tags: + - web + - production + target: environment + program: "state.with(\n\trequest(\n\t\t\"GET\",\n\t\tstate.url.trim_right(\"/\") + \"/api/v2/intelligence/?\" + {\n\t\t\t\"order_by\": [\"update_id\"],\n\t\t\t\"modified_ts__lt\": [(now - duration(state.delay)).format(time_layout.RFC3339)],\n\t\t\t?\"modified_ts__gt\": state.?cursor.last_update_id.orValue(null) == null ? optional.of([(now - duration(state.initial_interval)).format(time_layout.RFC3339)]) : optional.none(),\n\t\t\t\"limit\": [string(state.page_size)],\n\t\t\t?\"update_id__gt\": state.?cursor.last_update_id.optMap(id, [string(int(id))]),\n\t\t\t?\"remote_api\": state.remote_api_true ? optional.of([\"true\"]) : optional.none(), // never set remote_api=false, only true or absent\n\t\t\t?\"q\": state.?query.orValue(\"\") != \"\" ? optional.of([state.query]) : optional.none(),\n\t\t}.format_query()\n\t).with(\n\t\t{\n\t\t\t\"Header\": {\n\t\t\t\t\"Authorization\": [\"apikey \" + state.username + \":\" + state.api_key],\n\t\t\t},\n\t\t}\n\t).do_request().as(resp,\n\t\t(resp.StatusCode == 200) ?\n\t\t\tbytes(resp.Body).decode_json().as(body,\n\t\t\t\t{\n\t\t\t\t\t\"events\": body.objects.map(obj,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\"json\": obj,\n\t\t\t\t\t\t\t?\"event\": state.?preserve_original_event.orValue(false) ?\n\t\t\t\t\t\t\t\toptional.of({\"original\": obj.encode_json()})\n\t\t\t\t\t\t\t:\n\t\t\t\t\t\t\t\toptional.none(),\n\t\t\t\t\t\t}\n\t\t\t\t\t),\n\t\t\t\t\t\"want_more\": body.meta.next != null,\n\t\t\t\t\t\"cursor\": (has(state.cursor) ? state.cursor : {}).with(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t?\"last_update_id\": (body.objects.size() > 0) ? optional.of(body.objects[body.objects.size() - 1].update_id) : optional.none(),\n\t\t\t\t\t\t}\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t)\n\t\t:\n\t\t\t{\n\t\t\t\t\"events\": {\n\t\t\t\t\t\"error\": {\n\t\t\t\t\t\t\"code\": string(resp.StatusCode),\n\t\t\t\t\t\t\"id\": string(resp.Status),\n\t\t\t\t\t\t\"message\": \"GET:\" + \n\t\t\t\t\t\t(\n\t\t\t\t\t\t\t(size(resp.Body) != 0) ?\n\t\t\t\t\t\t\t\tstring(resp.Body)\n\t\t\t\t\t\t\t:\n\t\t\t\t\t\t\t\tstring(resp.Status) + \" (\" + string(resp.StatusCode) + \")\"\n\t\t\t\t\t\t),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\"want_more\": false,\n\t\t\t}\n\t)\n)" + publisher_pipeline.disable_host: true + redact: + fields: + - api_key + resource.proxy_url: http://proxy.tld + resource.ssl: null + resource.timeout: 30s + resource.url: https://api.threatstream.com + state: + api_key: ${SECRET_0} + delay: 1m + initial_interval: 2160h + page_size: 1000 + preserve_original_event: true + query: test_query + remote_api_true: false + username: test_username + want_more: false + tags: + - preserve_original_event + - forwarded + - anomali-intelligence + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-ti_anomali.intelligence-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml new file mode 100644 index 00000000000..c8ac469664b --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml @@ -0,0 +1,49 @@ +data_stream: + vars: + username: test_username + api_key: xxxxxxxxxxxx + url: https://api.threatstream.com + interval: 5m + initial_interval: 2160h + ioc_duration_before_deletion: "90d" + preserve_original_event: true + enable_request_tracer: false + query: test_query + remote_api_true: false + page_size: 1000 + proxy_url: http://proxy.tld + ssl: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + http_client_timeout: 30s + tags: + - forwarded + - anomali-intelligence + processors: | + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' + - add_tags: + tags: [web, production] + target: "environment" diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.expected b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.expected new file mode 100644 index 00000000000..0fbee285007 --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.expected @@ -0,0 +1,54 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: ti_anomali + name: test-default-ti_anomali + streams: + - config_version: 2 + data_stream: + dataset: ti_anomali.intelligence + fields: + _conf: + ioc_duration_before_deletion: 90d + fields_under_root: true + interval: 5m + program: "state.with(\n\trequest(\n\t\t\"GET\",\n\t\tstate.url.trim_right(\"/\") + \"/api/v2/intelligence/?\" + {\n\t\t\t\"order_by\": [\"update_id\"],\n\t\t\t\"modified_ts__lt\": [(now - duration(state.delay)).format(time_layout.RFC3339)],\n\t\t\t?\"modified_ts__gt\": state.?cursor.last_update_id.orValue(null) == null ? optional.of([(now - duration(state.initial_interval)).format(time_layout.RFC3339)]) : optional.none(),\n\t\t\t\"limit\": [string(state.page_size)],\n\t\t\t?\"update_id__gt\": state.?cursor.last_update_id.optMap(id, [string(int(id))]),\n\t\t\t?\"remote_api\": state.remote_api_true ? optional.of([\"true\"]) : optional.none(), // never set remote_api=false, only true or absent\n\t\t\t?\"q\": state.?query.orValue(\"\") != \"\" ? optional.of([state.query]) : optional.none(),\n\t\t}.format_query()\n\t).with(\n\t\t{\n\t\t\t\"Header\": {\n\t\t\t\t\"Authorization\": [\"apikey \" + state.username + \":\" + state.api_key],\n\t\t\t},\n\t\t}\n\t).do_request().as(resp,\n\t\t(resp.StatusCode == 200) ?\n\t\t\tbytes(resp.Body).decode_json().as(body,\n\t\t\t\t{\n\t\t\t\t\t\"events\": body.objects.map(obj,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\"json\": obj,\n\t\t\t\t\t\t\t?\"event\": state.?preserve_original_event.orValue(false) ?\n\t\t\t\t\t\t\t\toptional.of({\"original\": obj.encode_json()})\n\t\t\t\t\t\t\t:\n\t\t\t\t\t\t\t\toptional.none(),\n\t\t\t\t\t\t}\n\t\t\t\t\t),\n\t\t\t\t\t\"want_more\": body.meta.next != null,\n\t\t\t\t\t\"cursor\": (has(state.cursor) ? state.cursor : {}).with(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t?\"last_update_id\": (body.objects.size() > 0) ? optional.of(body.objects[body.objects.size() - 1].update_id) : optional.none(),\n\t\t\t\t\t\t}\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t)\n\t\t:\n\t\t\t{\n\t\t\t\t\"events\": {\n\t\t\t\t\t\"error\": {\n\t\t\t\t\t\t\"code\": string(resp.StatusCode),\n\t\t\t\t\t\t\"id\": string(resp.Status),\n\t\t\t\t\t\t\"message\": \"GET:\" + \n\t\t\t\t\t\t(\n\t\t\t\t\t\t\t(size(resp.Body) != 0) ?\n\t\t\t\t\t\t\t\tstring(resp.Body)\n\t\t\t\t\t\t\t:\n\t\t\t\t\t\t\t\tstring(resp.Status) + \" (\" + string(resp.StatusCode) + \")\"\n\t\t\t\t\t\t),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\"want_more\": false,\n\t\t\t}\n\t)\n)" + publisher_pipeline.disable_host: true + redact: + fields: + - api_key + resource.ssl: null + resource.timeout: 30s + resource.url: https://api.threatstream.com + state: + api_key: ${SECRET_0} + delay: 1m + initial_interval: 2160h + page_size: 1000 + preserve_original_event: false + remote_api_true: false + username: test_username + want_more: false + tags: + - forwarded + - anomali-intelligence + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-ti_anomali.intelligence-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.yml b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.yml new file mode 100644 index 00000000000..a8bdf0363d3 --- /dev/null +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-default.yml @@ -0,0 +1,4 @@ +data_stream: + vars: + username: test_username + api_key: xxxxxxxxxxxx diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/config.yml b/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/config.yml new file mode 100644 index 00000000000..30a2b50cf64 --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/config.yml @@ -0,0 +1 @@ +num_docs: 10000 diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/intellegence-sample.log b/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/intellegence-sample.log new file mode 100644 index 00000000000..0e8110b6009 --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/benchmark/pipeline/intellegence-sample.log @@ -0,0 +1,5 @@ +{"json": {"added_at": "2023-06-05T12:35:14.860741", "classification": "private", "confidence": 92, "country": "US", "date_first": "2020-10-09T18:45:23.000Z", "date_last": "2020-10-09T18:45:23.000Z", "detail": "phish-kit-sig-id-43111996,Microsoft", "detail2": "imported by user 1", "id": 185029228, "itype": "phish_url", "lat": 37.751, "maltype": "phish-kit-sig-id-43111996", "resource_uri": "/api/v1/intelligence/22222/", "severity": "very-high", "source": "Default Organization", "source_feed_id": 0, "srcip": "81.2.69.142", "state": "active", "trusted_circle_ids": ",10015,", "update_id": 376590230, "url": "https://example.appspot.com/2/https%40securelogin-example.bp.poste.it", "value_type": "url"}} +{"json": {"added_at": "2023-06-05T11:03:34.648208", "classification": "private", "confidence": 94, "country": "IN", "date_first": "2020-10-09T18:45:28.000Z", "date_last": "2020-10-09T18:45:28.000Z", "detail": "32-bit,date_added=2020-10-09T15:44:05,elf,mips", "detail2": "imported by user 1", "id": 111111, "itype": "mal_url", "lat": 28.6327, "maltype": "32-bit", "resource_uri": "/api/v1/intelligence/111111/", "severity": "very-high", "source": "Default Organization", "source_feed_id": 0, "srcip": "81.2.69.192", "state": "active", "trusted_circle_ids": ",10015,", "update_id": 376590649, "url": "http://81.2.69.192:34011/bin.sh", "value_type": "url"}} +{"json": {"added_at": "2020-10-08T12:22:11", "domain": "tsvkkasbc.example.net", "itype": "mal_domain", "classification": "public", "lat": 48.8582, "update_id": 1561660927, "source_feed_id": 3716, "date_first": "2020-10-08T12:21:50", "confidence": 20, "severity": "medium", "trusted_circle_ids": "14", "lon": 2.3387, "id": 2919443327, "source": "Phony generated indicator", "state": "active", "import_session_id": 2832, "value_type": "domain", "srcip": "192.168.113.39", "org": "OVH Hosting", "date_last": "2020-10-08T12:24:42", "country": "FR", "detail2": "imported by user 41", "resource_uri": "/api/v1/intelligence/P30754856864/"}} +{"json": {"added_at": "2020-10-08T12:22:11", "confidence": 71, "itype": "mal_ip", "severity": "very-high", "classification": "public", "date_first": "2020-10-08T12:21:59", "country": "RU", "org": "IP Khnykin Vitaliy Yakovlevich", "import_session_id": 3544, "lon": 37.6068, "lat": 55.7386, "source": "Phony generated indicator", "state": "active", "update_id": 2406643974, "trusted_circle_ids": "500,12", "srcip": "192.168.2.111", "detail2": "imported by user 329", "value_type": "ip", "source_feed_id": 3817, "id": 1958206567, "date_last": "2020-10-08T12:24:42", "resource_uri": "/api/v1/intelligence/P36282461072/"}} +{"json": {"added_at": "2020-10-08T12:22:11", "itype": "mal_ip", "classification": "private", "lat": 41.7041, "update_id": 2322332062, "source_feed_id": 2092, "id": 2858143413, "confidence": -1, "severity": "high", "trusted_circle_ids": "418,729,426", "lon": -72.679, "date_first": "2020-10-08T12:22:11", "source": "Phony generated indicator", "state": "active", "import_session_id": 3128, "value_type": "ip", "srcip": "192.168.113.98", "org": "Cox Communications", "asn": "22773", "date_last": "2020-10-08T12:24:42", "country": "US", "detail2": "imported by user 114", "resource_uri": "/api/v1/intelligence/P40686000387/"}} diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.expected b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.expected new file mode 100644 index 00000000000..c3d0fab9298 --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.expected @@ -0,0 +1,60 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: ti_anomali + name: test-all-ti_anomali + streams: + - content_type: application/x-ndjson + data_stream: + dataset: ti_anomali.threatstream + enabled: true + fields: + _conf: + ioc_expiration_duration: 90d + fields_under_root: true + hmac: + header: X-Filebeat-Signature + key: ${SECRET_0} + prefix: sha256= + type: sha256 + listen_address: localhost + listen_port: 8181 + prefix: json + processors: + - add_fields: + fields: + id: "574734885120952459" + name: myproject + target: project + - add_tags: + tags: + - web + - production + target: environment + ssl: + certificate: /etc/pki/client/cert.pem + enabled: false + key: /etc/pki/client/cert.key + tags: null + type: http_endpoint + url: / + type: http_endpoint + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-ti_anomali.threatstream-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.yml b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.yml new file mode 100644 index 00000000000..832f1329fd4 --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-all.yml @@ -0,0 +1,23 @@ +data_stream: + vars: + listen_address : localhost + listen_port: 8181 + url: / + content_type : application/x-ndjson + secret: test_secret + ssl: | + enabled: false + certificate: "/etc/pki/client/cert.pem" + key: "/etc/pki/client/cert.key" + ioc_expiration_duration: "90d" + tags: + preserve_original_event: false + processors: | + - add_fields: + target: project + fields: + name: myproject + id: '574734885120952459' + - add_tags: + tags: [web, production] + target: "environment" diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.expected b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.expected new file mode 100644 index 00000000000..224ea41ea0c --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.expected @@ -0,0 +1,46 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: ti_anomali + name: test-default-ti_anomali + streams: + - content_type: application/x-ndjson + data_stream: + dataset: ti_anomali.threatstream + enabled: true + fields: + _conf: + ioc_expiration_duration: 90d + fields_under_root: true + listen_address: localhost + listen_port: 8181 + prefix: json + publisher_pipeline.disable_host: true + ssl: + certificate: /etc/pki/client/cert.pem + enabled: false + key: /etc/pki/client/cert.key + tags: + - forwarded + - anomali-threatstream + type: http_endpoint + url: / + type: http_endpoint + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-ti_anomali.threatstream-ep + privileges: + - auto_configure + - create_doc +secret_references: [] diff --git a/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.yml b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.yml new file mode 100644 index 00000000000..b0118cb8a20 --- /dev/null +++ b/packages/ti_anomali/data_stream/threatstream/_dev/test/policy/test-default.yml @@ -0,0 +1,3 @@ +data_stream: + vars: + # All the required variables have default value. From 4043e440f3a540e20c7968ea6d8eb8c7f2db1e08 Mon Sep 17 00:00:00 2001 From: mohitjha_elastic Date: Fri, 20 Feb 2026 18:42:58 +0530 Subject: [PATCH 2/2] Uncomment the ssl parameter --- .../_dev/test/policy/test-all.expected | 22 +++++++++- .../_dev/test/policy/test-all.yml | 40 +++++++++---------- 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected index 880495196bb..6a3060acccd 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.expected @@ -31,7 +31,27 @@ inputs: fields: - api_key resource.proxy_url: http://proxy.tld - resource.ssl: null + resource.ssl: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- resource.timeout: 30s resource.url: https://api.threatstream.com state: diff --git a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml index c8ac469664b..6262501afdc 100644 --- a/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml +++ b/packages/ti_anomali/data_stream/intelligence/_dev/test/policy/test-all.yml @@ -14,26 +14,26 @@ data_stream: proxy_url: http://proxy.tld ssl: | #certificate_authorities: - # - | - # -----BEGIN CERTIFICATE----- - # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF - # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 - # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB - # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n - # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl - # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t - # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP - # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 - # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O - # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux - # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D - # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw - # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA - # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu - # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 - # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk - # sxSmbIUfc2SGJGCJD4I= - # -----END CERTIFICATE----- + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- http_client_timeout: 30s tags: - forwarded