diff --git a/packages/juniper/_dev/build/build.yml b/packages/juniper/_dev/build/build.yml index 08d85edcf9a..809e76063e9 100644 --- a/packages/juniper/_dev/build/build.yml +++ b/packages/juniper/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.12 + reference: git@8.0 diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 34a3f06f947..c488afe5c6a 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2415 - version: "1.0.7" changes: - description: Regenerate test files using the new GeoIP database diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index 1dfe0ef2f37..21723726db5 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -3,10 +3,10 @@ { "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-12-14T14:47:05.643310048Z" + "ingested": "2022-01-01T22:04:32.451718262Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -15,10 +15,10 @@ { "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-12-14T14:47:05.643314375Z" + "ingested": "2022-01-01T22:04:32.451721424Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -27,10 +27,10 @@ { "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-12-14T14:47:05.643315434Z" + "ingested": "2022-01-01T22:04:32.451722742Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -39,10 +39,10 @@ { "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-12-14T14:47:05.643316242Z" + "ingested": "2022-01-01T22:04:32.451723876Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -51,10 +51,10 @@ { "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-12-14T14:47:05.643316874Z" + "ingested": "2022-01-01T22:04:32.451724991Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -63,10 +63,10 @@ { "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-12-14T14:47:05.643317592Z" + "ingested": "2022-01-01T22:04:32.451726103Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -75,10 +75,10 @@ { "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-12-14T14:47:05.643318250Z" + "ingested": "2022-01-01T22:04:32.451727193Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -87,10 +87,10 @@ { "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-12-14T14:47:05.643318893Z" + "ingested": "2022-01-01T22:04:32.451728291Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -99,10 +99,10 @@ { "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-12-14T14:47:05.643319450Z" + "ingested": "2022-01-01T22:04:32.451729408Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -111,10 +111,10 @@ { "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-12-14T14:47:05.643323433Z" + "ingested": "2022-01-01T22:04:32.451730507Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -123,10 +123,10 @@ { "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-12-14T14:47:05.643324259Z" + "ingested": "2022-01-01T22:04:32.451731599Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -135,10 +135,10 @@ { "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-12-14T14:47:05.643325133Z" + "ingested": "2022-01-01T22:04:32.451732858Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -147,10 +147,10 @@ { "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-12-14T14:47:05.643325765Z" + "ingested": "2022-01-01T22:04:32.451733974Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -159,10 +159,10 @@ { "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-12-14T14:47:05.643326507Z" + "ingested": "2022-01-01T22:04:32.451735072Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -171,10 +171,10 @@ { "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-12-14T14:47:05.643400742Z" + "ingested": "2022-01-01T22:04:32.451736206Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -183,10 +183,10 @@ { "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-12-14T14:47:05.643401843Z" + "ingested": "2022-01-01T22:04:32.451737322Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -195,10 +195,10 @@ { "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-12-14T14:47:05.643402803Z" + "ingested": "2022-01-01T22:04:32.451738590Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -207,10 +207,10 @@ { "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-12-14T14:47:05.643403274Z" + "ingested": "2022-01-01T22:04:32.451739680Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -219,10 +219,10 @@ { "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-12-14T14:47:05.643403758Z" + "ingested": "2022-01-01T22:04:32.451740803Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -231,10 +231,10 @@ { "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-12-14T14:47:05.643404229Z" + "ingested": "2022-01-01T22:04:32.451741900Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -243,10 +243,10 @@ { "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-12-14T14:47:05.643404719Z" + "ingested": "2022-01-01T22:04:32.451743003Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -255,10 +255,10 @@ { "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-12-14T14:47:05.643405206Z" + "ingested": "2022-01-01T22:04:32.451744127Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -267,10 +267,10 @@ { "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-12-14T14:47:05.643405864Z" + "ingested": "2022-01-01T22:04:32.451745211Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -279,10 +279,10 @@ { "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-12-14T14:47:05.643406499Z" + "ingested": "2022-01-01T22:04:32.451746396Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -291,10 +291,10 @@ { "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-12-14T14:47:05.643406974Z" + "ingested": "2022-01-01T22:04:32.451747479Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -303,10 +303,10 @@ { "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-12-14T14:47:05.643407451Z" + "ingested": "2022-01-01T22:04:32.451748581Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -315,10 +315,10 @@ { "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-12-14T14:47:05.643407925Z" + "ingested": "2022-01-01T22:04:32.451749672Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -327,10 +327,10 @@ { "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-12-14T14:47:05.643408378Z" + "ingested": "2022-01-01T22:04:32.451750766Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -339,10 +339,10 @@ { "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-12-14T14:47:05.643408858Z" + "ingested": "2022-01-01T22:04:32.451751853Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -351,10 +351,10 @@ { "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-12-14T14:47:05.643409368Z" + "ingested": "2022-01-01T22:04:32.451752937Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -363,10 +363,10 @@ { "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-12-14T14:47:05.643409840Z" + "ingested": "2022-01-01T22:04:32.451754087Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -375,10 +375,10 @@ { "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-12-14T14:47:05.643410294Z" + "ingested": "2022-01-01T22:04:32.451757677Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -387,10 +387,10 @@ { "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-12-14T14:47:05.643410747Z" + "ingested": "2022-01-01T22:04:32.451758914Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -399,10 +399,10 @@ { "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-12-14T14:47:05.643411210Z" + "ingested": "2022-01-01T22:04:32.451760020Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -411,10 +411,10 @@ { "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-12-14T14:47:05.643411849Z" + "ingested": "2022-01-01T22:04:32.451761246Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -423,10 +423,10 @@ { "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-12-14T14:47:05.643412305Z" + "ingested": "2022-01-01T22:04:32.451762369Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -435,10 +435,10 @@ { "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-12-14T14:47:05.643412755Z" + "ingested": "2022-01-01T22:04:32.451763478Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -447,10 +447,10 @@ { "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-12-14T14:47:05.643413211Z" + "ingested": "2022-01-01T22:04:32.451764568Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -459,10 +459,10 @@ { "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-12-14T14:47:05.643413674Z" + "ingested": "2022-01-01T22:04:32.451765656Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -471,10 +471,10 @@ { "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-12-14T14:47:05.643414447Z" + "ingested": "2022-01-01T22:04:32.451766765Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -483,10 +483,10 @@ { "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-12-14T14:47:05.643414937Z" + "ingested": "2022-01-01T22:04:32.451767922Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -495,10 +495,10 @@ { "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-12-14T14:47:05.643415518Z" + "ingested": "2022-01-01T22:04:32.451768996Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -507,10 +507,10 @@ { "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-12-14T14:47:05.643415999Z" + "ingested": "2022-01-01T22:04:32.451770085Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -519,10 +519,10 @@ { "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-12-14T14:47:05.643416464Z" + "ingested": "2022-01-01T22:04:32.451771236Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -531,10 +531,10 @@ { "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-12-14T14:47:05.643416924Z" + "ingested": "2022-01-01T22:04:32.451772340Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -543,10 +543,10 @@ { "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-12-14T14:47:05.643417394Z" + "ingested": "2022-01-01T22:04:32.451773446Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -555,10 +555,10 @@ { "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-12-14T14:47:05.643417863Z" + "ingested": "2022-01-01T22:04:32.451774533Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -567,10 +567,10 @@ { "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-12-14T14:47:05.643418484Z" + "ingested": "2022-01-01T22:04:32.451775627Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -579,10 +579,10 @@ { "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-12-14T14:47:05.643418956Z" + "ingested": "2022-01-01T22:04:32.451776741Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -591,10 +591,10 @@ { "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-12-14T14:47:05.643419431Z" + "ingested": "2022-01-01T22:04:32.451777848Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -603,10 +603,10 @@ { "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-12-14T14:47:05.643420002Z" + "ingested": "2022-01-01T22:04:32.451779070Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -615,10 +615,10 @@ { "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-12-14T14:47:05.643420466Z" + "ingested": "2022-01-01T22:04:32.451780152Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -627,10 +627,10 @@ { "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-12-14T14:47:05.643421Z" + "ingested": "2022-01-01T22:04:32.451781258Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -639,10 +639,10 @@ { "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-12-14T14:47:05.643421525Z" + "ingested": "2022-01-01T22:04:32.451782379Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -651,10 +651,10 @@ { "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-12-14T14:47:05.643421981Z" + "ingested": "2022-01-01T22:04:32.451783470Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -663,10 +663,10 @@ { "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-12-14T14:47:05.643551228Z" + "ingested": "2022-01-01T22:04:32.451784580Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -675,10 +675,10 @@ { "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-12-14T14:47:05.643556861Z" + "ingested": "2022-01-01T22:04:32.451785696Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -687,10 +687,10 @@ { "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-12-14T14:47:05.643557989Z" + "ingested": "2022-01-01T22:04:32.451786801Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -699,10 +699,10 @@ { "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-12-14T14:47:05.643558790Z" + "ingested": "2022-01-01T22:04:32.451787905Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -711,10 +711,10 @@ { "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-12-14T14:47:05.643559767Z" + "ingested": "2022-01-01T22:04:32.451789001Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -723,10 +723,10 @@ { "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-12-14T14:47:05.643560603Z" + "ingested": "2022-01-01T22:04:32.451790101Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -735,10 +735,10 @@ { "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-12-14T14:47:05.643561404Z" + "ingested": "2022-01-01T22:04:32.451791208Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -747,10 +747,10 @@ { "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-12-14T14:47:05.643562169Z" + "ingested": "2022-01-01T22:04:32.451792312Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -759,10 +759,10 @@ { "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-12-14T14:47:05.643563027Z" + "ingested": "2022-01-01T22:04:32.451793392Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -771,10 +771,10 @@ { "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-12-14T14:47:05.643563833Z" + "ingested": "2022-01-01T22:04:32.451794477Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -783,10 +783,10 @@ { "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-12-14T14:47:05.643564690Z" + "ingested": "2022-01-01T22:04:32.451795571Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -795,10 +795,10 @@ { "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-12-14T14:47:05.643565668Z" + "ingested": "2022-01-01T22:04:32.451796673Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -807,10 +807,10 @@ { "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-12-14T14:47:05.643566468Z" + "ingested": "2022-01-01T22:04:32.451797765Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -819,10 +819,10 @@ { "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-12-14T14:47:05.643567186Z" + "ingested": "2022-01-01T22:04:32.451798866Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -831,10 +831,10 @@ { "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-12-14T14:47:05.643567936Z" + "ingested": "2022-01-01T22:04:32.451799968Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -843,10 +843,10 @@ { "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-12-14T14:47:05.643568789Z" + "ingested": "2022-01-01T22:04:32.451801055Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -855,10 +855,10 @@ { "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-12-14T14:47:05.643569520Z" + "ingested": "2022-01-01T22:04:32.451802151Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -867,10 +867,10 @@ { "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-12-14T14:47:05.643570324Z" + "ingested": "2022-01-01T22:04:32.451803249Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -879,10 +879,10 @@ { "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-12-14T14:47:05.643571093Z" + "ingested": "2022-01-01T22:04:32.451804336Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -891,10 +891,10 @@ { "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-12-14T14:47:05.643572569Z" + "ingested": "2022-01-01T22:04:32.451805589Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -903,10 +903,10 @@ { "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-12-14T14:47:05.643573485Z" + "ingested": "2022-01-01T22:04:32.451806713Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -915,10 +915,10 @@ { "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-12-14T14:47:05.643574307Z" + "ingested": "2022-01-01T22:04:32.451807813Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -927,10 +927,10 @@ { "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-12-14T14:47:05.643575215Z" + "ingested": "2022-01-01T22:04:32.451808898Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -939,10 +939,10 @@ { "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-12-14T14:47:05.643576116Z" + "ingested": "2022-01-01T22:04:32.451810009Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -951,10 +951,10 @@ { "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-12-14T14:47:05.643576985Z" + "ingested": "2022-01-01T22:04:32.451811516Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -963,10 +963,10 @@ { "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-12-14T14:47:05.643616290Z" + "ingested": "2022-01-01T22:04:32.451812610Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -975,10 +975,10 @@ { "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-12-14T14:47:05.643621495Z" + "ingested": "2022-01-01T22:04:32.451813722Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -987,10 +987,10 @@ { "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-12-14T14:47:05.643622467Z" + "ingested": "2022-01-01T22:04:32.451814845Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -999,10 +999,10 @@ { "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-12-14T14:47:05.643623280Z" + "ingested": "2022-01-01T22:04:32.451815950Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1011,10 +1011,10 @@ { "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-12-14T14:47:05.643624195Z" + "ingested": "2022-01-01T22:04:32.451817035Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1023,10 +1023,10 @@ { "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-12-14T14:47:05.643624904Z" + "ingested": "2022-01-01T22:04:32.451818157Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1035,10 +1035,10 @@ { "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-12-14T14:47:05.643625600Z" + "ingested": "2022-01-01T22:04:32.451819247Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1047,10 +1047,10 @@ { "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-12-14T14:47:05.643626355Z" + "ingested": "2022-01-01T22:04:32.451820331Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1059,10 +1059,10 @@ { "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-12-14T14:47:05.643627146Z" + "ingested": "2022-01-01T22:04:32.451821425Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1071,10 +1071,10 @@ { "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-12-14T14:47:05.643627800Z" + "ingested": "2022-01-01T22:04:32.451822522Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1083,10 +1083,10 @@ { "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-12-14T14:47:05.643628570Z" + "ingested": "2022-01-01T22:04:32.451823635Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1095,10 +1095,10 @@ { "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-12-14T14:47:05.643629389Z" + "ingested": "2022-01-01T22:04:32.451824735Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1107,10 +1107,10 @@ { "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-12-14T14:47:05.643630095Z" + "ingested": "2022-01-01T22:04:32.451825805Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1119,10 +1119,10 @@ { "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-12-14T14:47:05.643630897Z" + "ingested": "2022-01-01T22:04:32.451826882Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1131,10 +1131,10 @@ { "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-12-14T14:47:05.643631727Z" + "ingested": "2022-01-01T22:04:32.451827978Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1143,10 +1143,10 @@ { "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-12-14T14:47:05.643632470Z" + "ingested": "2022-01-01T22:04:32.452194541Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1155,10 +1155,10 @@ { "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-12-14T14:47:05.643633277Z" + "ingested": "2022-01-01T22:04:32.452206165Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1167,10 +1167,10 @@ { "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-12-14T14:47:05.643633978Z" + "ingested": "2022-01-01T22:04:32.452207498Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1179,10 +1179,10 @@ { "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-12-14T14:47:05.643634770Z" + "ingested": "2022-01-01T22:04:32.452208594Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1191,10 +1191,10 @@ { "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-12-14T14:47:05.643635531Z" + "ingested": "2022-01-01T22:04:32.452209653Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs index d43a8406f09..cd6f65b088d 100644 --- a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs @@ -1101,11 +1101,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1115,7 +1115,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs index beabea1a037..fe8410f4ea0 100644 --- a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs @@ -1098,11 +1098,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1112,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs index b13dac732dd..60d2db71466 100644 --- a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs @@ -1098,11 +1098,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1112,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml index 8ee126d0c0b..57565b4f7e4 100644 --- a/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml @@ -8,7 +8,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' # User agent - user_agent: field: user_agent.original diff --git a/packages/juniper/data_stream/junos/fields/ecs.yml b/packages/juniper/data_stream/junos/fields/ecs.yml index bf1d2ece2d0..1da8c39a341 100644 --- a/packages/juniper/data_stream/junos/fields/ecs.yml +++ b/packages/juniper/data_stream/junos/fields/ecs.yml @@ -110,8 +110,6 @@ name: http.request.referrer - external: ecs name: log.level -- external: ecs - name: log.original - external: ecs name: log.syslog.facility.code - external: ecs @@ -153,7 +151,7 @@ - external: ecs name: process.pid - external: ecs - name: process.ppid + name: process.parent.pid - external: ecs name: process.title - external: ecs diff --git a/packages/juniper/data_stream/junos/sample_event.json b/packages/juniper/data_stream/junos/sample_event.json index 88ee477650b..24b4a796712 100644 --- a/packages/juniper/data_stream/junos/sample_event.json +++ b/packages/juniper/data_stream/junos/sample_event.json @@ -1,41 +1,44 @@ { - "@timestamp": "2020-12-08T17:06:33.000Z", + "@timestamp": "2021-01-05T06:22:49.000Z", "agent": { - "ephemeral_id": "0fc901f1-6eea-4411-a099-6d6e0c49c568", - "id": "ea40d449-2727-40b0-90ad-be273a35f475", + "ephemeral_id": "d00fdc03-09f6-4672-906f-a2cfa18bf753", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "juniper.junos", "namespace": "ep", "type": "logs" }, + "destination": { + "address": "tod6376.mail.host\n" + }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "ea40d449-2727-40b0-90ad-be273a35f475", - "snapshot": true, - "version": "8.0.0" + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { - "action": "iadese", + "action": "LOGIN_FAILED:", "agent_id_status": "verified", - "code": "CHASSISD_MBUS_ERROR", + "code": "LOGIN_FAILED", "dataset": "juniper.junos", - "ingested": "2021-12-06T12:29:09Z", + "ingested": "2022-01-01T22:09:57Z", + "outcome": "failure", "timezone": "+00:00" }, "input": { - "type": "log" + "type": "udp" }, "log": { - "file": { - "path": "/tmp/service_logs/juniper-junos.log" - }, - "offset": 2162 + "source": { + "address": "172.18.0.7:57193" + } }, "observer": { "product": "Junos", @@ -43,29 +46,45 @@ "vendor": "Juniper" }, "process": { - "name": "CHASSISD_MBUS_ERROR message repeated", - "pid": 72 + "name": "laud.exe", + "pid": 913 + }, + "related": { + "hosts": [ + "tod6376.mail.host\n" + ], + "user": [ + "turQ" + ] }, "rsa": { "internal": { - "event_desc": "management bus failed sanity test", - "messageid": "CHASSISD_MBUS_ERROR" + "event_desc": "Login failure", + "messageid": "LOGIN_FAILED" + }, + "investigations": { + "ec_activity": "Logon", + "ec_outcome": "Failure", + "ec_subject": "User", + "ec_theme": "Authentication" }, "misc": { - "event_type": "iadese", - "result_code": "imad" + "event_type": "LOGIN_FAILED:" + }, + "network": { + "host_dst": "tod6376.mail.host\n" }, "time": { - "day": "8", - "event_time": "2020-12-08T17:06:33.000Z", - "month": "Dec" + "day": "5", + "event_time": "2021-01-05T06:22:49.000Z", + "month": "Jan" } }, - "service": { - "name": "nisiu" - }, "tags": [ "juniper-junos", "forwarded" - ] + ], + "user": { + "name": "turQ" + } } \ No newline at end of file diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index d87b2bd68c2..1cbd4892eae 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -3,10 +3,10 @@ { "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-12-14T14:47:07.665149009Z" + "ingested": "2022-01-01T22:04:37.091734994Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -15,10 +15,10 @@ { "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-12-14T14:47:07.665154211Z" + "ingested": "2022-01-01T22:04:37.091737678Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -27,10 +27,10 @@ { "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-12-14T14:47:07.665154725Z" + "ingested": "2022-01-01T22:04:37.091738807Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -39,10 +39,10 @@ { "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-12-14T14:47:07.665155146Z" + "ingested": "2022-01-01T22:04:37.091739779Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -51,10 +51,10 @@ { "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-12-14T14:47:07.665155543Z" + "ingested": "2022-01-01T22:04:37.091740741Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -63,10 +63,10 @@ { "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-12-14T14:47:07.665155937Z" + "ingested": "2022-01-01T22:04:37.091741706Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -75,10 +75,10 @@ { "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-12-14T14:47:07.665156344Z" + "ingested": "2022-01-01T22:04:37.091742644Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -87,10 +87,10 @@ { "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-12-14T14:47:07.665156785Z" + "ingested": "2022-01-01T22:04:37.091743584Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -99,10 +99,10 @@ { "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-12-14T14:47:07.665157169Z" + "ingested": "2022-01-01T22:04:37.091744515Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -111,10 +111,10 @@ { "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-12-14T14:47:07.665157560Z" + "ingested": "2022-01-01T22:04:37.091745438Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -123,10 +123,10 @@ { "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-12-14T14:47:07.665157944Z" + "ingested": "2022-01-01T22:04:37.091746353Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -135,10 +135,10 @@ { "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-12-14T14:47:07.665158639Z" + "ingested": "2022-01-01T22:04:37.091747444Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -147,10 +147,10 @@ { "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-12-14T14:47:07.665159059Z" + "ingested": "2022-01-01T22:04:37.091748397Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -159,10 +159,10 @@ { "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-12-14T14:47:07.665159458Z" + "ingested": "2022-01-01T22:04:37.091749326Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -171,10 +171,10 @@ { "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-12-14T14:47:07.665159853Z" + "ingested": "2022-01-01T22:04:37.091750259Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -183,10 +183,10 @@ { "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-12-14T14:47:07.665160241Z" + "ingested": "2022-01-01T22:04:37.091751209Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -195,10 +195,10 @@ { "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-12-14T14:47:07.665160759Z" + "ingested": "2022-01-01T22:04:37.091752264Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -207,10 +207,10 @@ { "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-12-14T14:47:07.665161147Z" + "ingested": "2022-01-01T22:04:37.091753207Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -219,10 +219,10 @@ { "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-12-14T14:47:07.665161531Z" + "ingested": "2022-01-01T22:04:37.091754152Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -231,10 +231,10 @@ { "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-12-14T14:47:07.665161923Z" + "ingested": "2022-01-01T22:04:37.091755088Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -243,10 +243,10 @@ { "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-12-14T14:47:07.665162319Z" + "ingested": "2022-01-01T22:04:37.091756019Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -255,10 +255,10 @@ { "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-12-14T14:47:07.665162702Z" + "ingested": "2022-01-01T22:04:37.091757002Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -267,10 +267,10 @@ { "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-12-14T14:47:07.665163113Z" + "ingested": "2022-01-01T22:04:37.091757951Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -279,10 +279,10 @@ { "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-12-14T14:47:07.665163620Z" + "ingested": "2022-01-01T22:04:37.091759Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -291,10 +291,10 @@ { "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-12-14T14:47:07.665164076Z" + "ingested": "2022-01-01T22:04:37.091759931Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -303,10 +303,10 @@ { "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-12-14T14:47:07.665164474Z" + "ingested": "2022-01-01T22:04:37.091760867Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -315,10 +315,10 @@ { "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-12-14T14:47:07.665164944Z" + "ingested": "2022-01-01T22:04:37.091761826Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -327,10 +327,10 @@ { "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-12-14T14:47:07.665165334Z" + "ingested": "2022-01-01T22:04:37.091762778Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -339,10 +339,10 @@ { "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-12-14T14:47:07.665165722Z" + "ingested": "2022-01-01T22:04:37.091763705Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -351,10 +351,10 @@ { "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-12-14T14:47:07.665166099Z" + "ingested": "2022-01-01T22:04:37.091764634Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -363,10 +363,10 @@ { "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-12-14T14:47:07.665166482Z" + "ingested": "2022-01-01T22:04:37.091765580Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -375,10 +375,10 @@ { "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-12-14T14:47:07.665166885Z" + "ingested": "2022-01-01T22:04:37.091766536Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -387,10 +387,10 @@ { "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-12-14T14:47:07.665167343Z" + "ingested": "2022-01-01T22:04:37.091767469Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -399,10 +399,10 @@ { "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-12-14T14:47:07.665167732Z" + "ingested": "2022-01-01T22:04:37.091768396Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -411,10 +411,10 @@ { "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-12-14T14:47:07.665168243Z" + "ingested": "2022-01-01T22:04:37.091769441Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -423,10 +423,10 @@ { "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-12-14T14:47:07.665168625Z" + "ingested": "2022-01-01T22:04:37.091770394Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -435,10 +435,10 @@ { "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-12-14T14:47:07.665169003Z" + "ingested": "2022-01-01T22:04:37.091771341Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -447,10 +447,10 @@ { "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-12-14T14:47:07.665169501Z" + "ingested": "2022-01-01T22:04:37.091772268Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -459,10 +459,10 @@ { "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-12-14T14:47:07.665169888Z" + "ingested": "2022-01-01T22:04:37.091773199Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -471,10 +471,10 @@ { "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-12-14T14:47:07.665170277Z" + "ingested": "2022-01-01T22:04:37.091774138Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -483,10 +483,10 @@ { "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-12-14T14:47:07.665170656Z" + "ingested": "2022-01-01T22:04:37.091775078Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -495,10 +495,10 @@ { "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-12-14T14:47:07.665171040Z" + "ingested": "2022-01-01T22:04:37.091776015Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -507,10 +507,10 @@ { "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-12-14T14:47:07.665171419Z" + "ingested": "2022-01-01T22:04:37.091776950Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -519,10 +519,10 @@ { "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-12-14T14:47:07.665171920Z" + "ingested": "2022-01-01T22:04:37.091777872Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -531,10 +531,10 @@ { "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-12-14T14:47:07.665172300Z" + "ingested": "2022-01-01T22:04:37.091778797Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -543,10 +543,10 @@ { "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-12-14T14:47:07.665172694Z" + "ingested": "2022-01-01T22:04:37.091779725Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -555,10 +555,10 @@ { "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-12-14T14:47:07.665173094Z" + "ingested": "2022-01-01T22:04:37.091780662Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -567,10 +567,10 @@ { "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-12-14T14:47:07.665173519Z" + "ingested": "2022-01-01T22:04:37.091781613Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -579,10 +579,10 @@ { "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-12-14T14:47:07.665173902Z" + "ingested": "2022-01-01T22:04:37.091782520Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -591,10 +591,10 @@ { "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-12-14T14:47:07.665174437Z" + "ingested": "2022-01-01T22:04:37.091783447Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -603,10 +603,10 @@ { "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-12-14T14:47:07.665174976Z" + "ingested": "2022-01-01T22:04:37.091784478Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -615,10 +615,10 @@ { "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-12-14T14:47:07.665175369Z" + "ingested": "2022-01-01T22:04:37.091785413Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -627,10 +627,10 @@ { "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-12-14T14:47:07.665175759Z" + "ingested": "2022-01-01T22:04:37.091786349Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -639,10 +639,10 @@ { "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-12-14T14:47:07.665176149Z" + "ingested": "2022-01-01T22:04:37.091787279Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -651,10 +651,10 @@ { "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-12-14T14:47:07.665176590Z" + "ingested": "2022-01-01T22:04:37.091788215Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -663,10 +663,10 @@ { "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-12-14T14:47:07.665177004Z" + "ingested": "2022-01-01T22:04:37.091789185Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -675,10 +675,10 @@ { "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-12-14T14:47:07.665177392Z" + "ingested": "2022-01-01T22:04:37.091790119Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -687,10 +687,10 @@ { "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-12-14T14:47:07.665177782Z" + "ingested": "2022-01-01T22:04:37.091791051Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -699,10 +699,10 @@ { "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-12-14T14:47:07.665178198Z" + "ingested": "2022-01-01T22:04:37.091791994Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -711,10 +711,10 @@ { "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-12-14T14:47:07.665178590Z" + "ingested": "2022-01-01T22:04:37.091792932Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -723,10 +723,10 @@ { "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-12-14T14:47:07.665178967Z" + "ingested": "2022-01-01T22:04:37.091793872Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -735,10 +735,10 @@ { "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-12-14T14:47:07.665179364Z" + "ingested": "2022-01-01T22:04:37.091794831Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -747,10 +747,10 @@ { "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-12-14T14:47:07.665179742Z" + "ingested": "2022-01-01T22:04:37.091795761Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -759,10 +759,10 @@ { "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-12-14T14:47:07.665180132Z" + "ingested": "2022-01-01T22:04:37.091796714Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -771,10 +771,10 @@ { "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-12-14T14:47:07.665180515Z" + "ingested": "2022-01-01T22:04:37.091797639Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -783,10 +783,10 @@ { "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-12-14T14:47:07.665181045Z" + "ingested": "2022-01-01T22:04:37.091798605Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -795,10 +795,10 @@ { "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-12-14T14:47:07.665181498Z" + "ingested": "2022-01-01T22:04:37.091799565Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -807,10 +807,10 @@ { "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-12-14T14:47:07.665181907Z" + "ingested": "2022-01-01T22:04:37.091800509Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -819,10 +819,10 @@ { "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-12-14T14:47:07.665182299Z" + "ingested": "2022-01-01T22:04:37.091801444Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -831,10 +831,10 @@ { "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-12-14T14:47:07.665182694Z" + "ingested": "2022-01-01T22:04:37.091802371Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -843,10 +843,10 @@ { "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-12-14T14:47:07.665183076Z" + "ingested": "2022-01-01T22:04:37.091803300Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -855,10 +855,10 @@ { "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-12-14T14:47:07.665183468Z" + "ingested": "2022-01-01T22:04:37.091804230Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -867,10 +867,10 @@ { "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-12-14T14:47:07.665183855Z" + "ingested": "2022-01-01T22:04:37.091805162Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -879,10 +879,10 @@ { "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-12-14T14:47:07.665184244Z" + "ingested": "2022-01-01T22:04:37.091806089Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -891,10 +891,10 @@ { "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-12-14T14:47:07.665184774Z" + "ingested": "2022-01-01T22:04:37.091807118Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -903,10 +903,10 @@ { "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-12-14T14:47:07.665185174Z" + "ingested": "2022-01-01T22:04:37.091808068Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -915,10 +915,10 @@ { "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-12-14T14:47:07.665185661Z" + "ingested": "2022-01-01T22:04:37.091809Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -927,10 +927,10 @@ { "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-12-14T14:47:07.665186091Z" + "ingested": "2022-01-01T22:04:37.091809927Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -939,10 +939,10 @@ { "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-12-14T14:47:07.665186515Z" + "ingested": "2022-01-01T22:04:37.091810867Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -951,10 +951,10 @@ { "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-12-14T14:47:07.665186907Z" + "ingested": "2022-01-01T22:04:37.091811787Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -963,10 +963,10 @@ { "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-12-14T14:47:07.665187296Z" + "ingested": "2022-01-01T22:04:37.091812726Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -975,10 +975,10 @@ { "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-12-14T14:47:07.665187688Z" + "ingested": "2022-01-01T22:04:37.091813647Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -987,10 +987,10 @@ { "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-12-14T14:47:07.665188069Z" + "ingested": "2022-01-01T22:04:37.091814587Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -999,10 +999,10 @@ { "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-12-14T14:47:07.665188457Z" + "ingested": "2022-01-01T22:04:37.091815525Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1011,10 +1011,10 @@ { "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-12-14T14:47:07.665188882Z" + "ingested": "2022-01-01T22:04:37.091816445Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1023,10 +1023,10 @@ { "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-12-14T14:47:07.665190273Z" + "ingested": "2022-01-01T22:04:37.091817373Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1035,10 +1035,10 @@ { "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-12-14T14:47:07.665190723Z" + "ingested": "2022-01-01T22:04:37.091818310Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1047,10 +1047,10 @@ { "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-12-14T14:47:07.665191124Z" + "ingested": "2022-01-01T22:04:37.091819257Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1059,10 +1059,10 @@ { "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-12-14T14:47:07.665191525Z" + "ingested": "2022-01-01T22:04:37.091820197Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1071,10 +1071,10 @@ { "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-12-14T14:47:07.665191910Z" + "ingested": "2022-01-01T22:04:37.091821116Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1083,10 +1083,10 @@ { "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-12-14T14:47:07.665192360Z" + "ingested": "2022-01-01T22:04:37.091822052Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1095,10 +1095,10 @@ { "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-12-14T14:47:07.665192749Z" + "ingested": "2022-01-01T22:04:37.091822984Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1107,10 +1107,10 @@ { "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-12-14T14:47:07.665193129Z" + "ingested": "2022-01-01T22:04:37.091823962Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1119,10 +1119,10 @@ { "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-12-14T14:47:07.665193510Z" + "ingested": "2022-01-01T22:04:37.091824894Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1131,10 +1131,10 @@ { "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-12-14T14:47:07.665193903Z" + "ingested": "2022-01-01T22:04:37.091825870Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1143,10 +1143,10 @@ { "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-12-14T14:47:07.665194296Z" + "ingested": "2022-01-01T22:04:37.091826796Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1155,10 +1155,10 @@ { "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-12-14T14:47:07.665194889Z" + "ingested": "2022-01-01T22:04:37.091827733Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1167,10 +1167,10 @@ { "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-12-14T14:47:07.665195276Z" + "ingested": "2022-01-01T22:04:37.091828666Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1179,10 +1179,10 @@ { "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-12-14T14:47:07.665195659Z" + "ingested": "2022-01-01T22:04:37.091829598Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" @@ -1191,10 +1191,10 @@ { "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-12-14T14:47:07.665196044Z" + "ingested": "2022-01-01T22:04:37.091830572Z" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs index f895505daad..5900d7bdd78 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs @@ -1101,11 +1101,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1115,7 +1115,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs index d75e4b37dd3..9f49f1e12c3 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs @@ -1098,11 +1098,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1112,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs index 0c6974a64ec..b25f5ec10cf 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs @@ -1098,11 +1098,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "event.original", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1112,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, diff --git a/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml index f826353a52a..c21920bdeeb 100644 --- a/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml @@ -8,7 +8,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' # User agent - user_agent: field: user_agent.original diff --git a/packages/juniper/data_stream/netscreen/fields/ecs.yml b/packages/juniper/data_stream/netscreen/fields/ecs.yml index bf1d2ece2d0..1da8c39a341 100644 --- a/packages/juniper/data_stream/netscreen/fields/ecs.yml +++ b/packages/juniper/data_stream/netscreen/fields/ecs.yml @@ -110,8 +110,6 @@ name: http.request.referrer - external: ecs name: log.level -- external: ecs - name: log.original - external: ecs name: log.syslog.facility.code - external: ecs @@ -153,7 +151,7 @@ - external: ecs name: process.pid - external: ecs - name: process.ppid + name: process.parent.pid - external: ecs name: process.title - external: ecs diff --git a/packages/juniper/data_stream/netscreen/sample_event.json b/packages/juniper/data_stream/netscreen/sample_event.json index 6d8b2b231ec..cf4950dcf4a 100644 --- a/packages/juniper/data_stream/netscreen/sample_event.json +++ b/packages/juniper/data_stream/netscreen/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2016-01-29T06:09:59.000Z", "agent": { - "ephemeral_id": "98785d22-916a-4c19-aa24-b7bb4a4ca5b8", - "id": "ea40d449-2727-40b0-90ad-be273a35f475", + "ephemeral_id": "37fa2cc1-547d-4a28-852d-12a106ff1c58", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.0.0-beta1" }, "data_stream": { "dataset": "juniper.netscreen", @@ -13,29 +13,28 @@ "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "ea40d449-2727-40b0-90ad-be273a35f475", - "snapshot": true, - "version": "8.0.0" + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { "agent_id_status": "verified", "code": "00628", "dataset": "juniper.netscreen", - "ingested": "2021-12-06T12:31:35Z", + "ingested": "2022-01-01T22:14:50Z", "timezone": "+00:00" }, "input": { - "type": "log" + "type": "udp" }, "log": { - "file": { - "path": "/tmp/service_logs/juniper-netscreen.log" - }, "level": "low", - "offset": 0 + "source": { + "address": "172.18.0.7:52376" + } }, "observer": { "product": "Netscreen", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index 777f3fb7c80..ca015d57f3b 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -66,7 +66,7 @@ }, "@timestamp": "2013-12-14T16:06:59.134Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -86,7 +86,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:10.183090634Z", + "ingested": "2022-01-01T22:04:42.677715564Z", "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "action": "malware_detected", @@ -111,7 +111,7 @@ }, "@timestamp": "2016-09-20T17:43:30.330Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -147,7 +147,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:10.183094173Z", + "ingested": "2022-01-01T22:04:42.677718778Z", "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.168.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "action": "malware_detected", @@ -175,7 +175,7 @@ }, "@timestamp": "2016-09-20T17:40:30.050Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -208,7 +208,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:10.183094689Z", + "ingested": "2022-01-01T22:04:42.677720191Z", "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.168.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "category": [ @@ -291,7 +291,7 @@ }, "@timestamp": "2007-02-15T09:17:15.719Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -308,7 +308,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-14T14:47:10.183095105Z", + "ingested": "2022-01-01T22:04:42.677721344Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"67.43.156.15\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index b0d8688a8b9..e291d626cfc 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -63,7 +63,7 @@ }, "@timestamp": "2019-11-14T08:37:51.184Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679892458Z", + "ingested": "2022-01-01T22:04:46.827614833Z", "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -149,7 +149,7 @@ }, "@timestamp": "2019-11-14T10:12:46.573Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -163,7 +163,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679895607Z", + "ingested": "2022-01-01T22:04:46.827617716Z", "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -252,7 +252,7 @@ }, "@timestamp": "2014-05-01T08:26:51.179Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -265,7 +265,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679896199Z", + "ingested": "2022-01-01T22:04:46.827618806Z", "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@67.43.156.15 source-address=\"67.43.156.15\" source-port=\"56639\" destination-address=\"67.43.156.15\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "action": "flow_deny", @@ -373,7 +373,7 @@ }, "@timestamp": "2014-05-01T08:28:10.933Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -392,7 +392,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679896588Z", + "ingested": "2022-01-01T22:04:46.827622773Z", "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"unset\" source-address=\"67.43.156.15\" source-port=\"63456\" destination-address=\"67.43.156.15\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"67.43.156.15\" nat-source-port=\"63456\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", "kind": "event", "start": "2014-05-01T08:28:10.933Z", @@ -494,7 +494,7 @@ }, "@timestamp": "2013-11-04T16:23:09.264Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -510,7 +510,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679898074Z", + "ingested": "2022-01-01T22:04:46.827623743Z", "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", @@ -598,7 +598,7 @@ }, "@timestamp": "2010-09-30T06:55:04.323Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -616,7 +616,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679898522Z", + "ingested": "2022-01-01T22:04:46.827624675Z", "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "action": "flow_started", @@ -713,7 +713,7 @@ }, "@timestamp": "2010-09-30T06:55:07.188Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -734,7 +734,7 @@ "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-14T14:47:11.679898995Z", + "ingested": "2022-01-01T22:04:46.827625614Z", "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"response received\" source-address=\"192.168.2.1\" source-port=\"1\" destination-address=\"192.168.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.168.2.1\" nat-source-port=\"1\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "start": "2010-09-30T06:55:07.188Z", @@ -841,7 +841,7 @@ }, "@timestamp": "2019-04-12T14:29:06.576Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -862,7 +862,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679899393Z", + "ingested": "2022-01-01T22:04:46.827626556Z", "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"67.43.156.15\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", "risk_score": 4.0, "kind": "event", @@ -950,7 +950,7 @@ }, "@timestamp": "2019-04-13T14:33:06.576Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -970,7 +970,7 @@ "event": { "duration": 16000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679899790Z", + "ingested": "2022-01-01T22:04:46.827627516Z", "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", "kind": "event", "start": "2019-04-13T14:33:06.576Z", @@ -1083,7 +1083,7 @@ }, "@timestamp": "2018-10-07T01:32:20.898Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1102,7 +1102,7 @@ "event": { "duration": 8000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679900173Z", + "ingested": "2022-01-01T22:04:46.827628430Z", "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"67.43.156.14\" source-port=\"52890\" destination-address=\"67.43.156.14\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"11152\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-10-07T01:32:20.898Z", @@ -1203,7 +1203,7 @@ }, "@timestamp": "2018-06-30T02:17:22.753Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1224,7 +1224,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679900572Z", + "ingested": "2022-01-01T22:04:46.827629334Z", "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", "kind": "event", "start": "2018-06-30T02:17:22.753Z", @@ -1314,7 +1314,7 @@ }, "@timestamp": "2015-09-25T14:19:53.846Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1336,7 +1336,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679901243Z", + "ingested": "2022-01-01T22:04:46.827630361Z", "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", "kind": "event", "start": "2015-09-25T14:19:53.846Z", @@ -1436,7 +1436,7 @@ }, "@timestamp": "2013-01-19T15:18:17.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1453,7 +1453,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679901636Z", + "ingested": "2022-01-01T22:04:46.827631267Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "action": "flow_started", @@ -1559,7 +1559,7 @@ }, "@timestamp": "2013-01-19T15:18:17.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1579,7 +1579,7 @@ "event": { "duration": 0, "severity": 14, - "ingested": "2021-12-14T14:47:11.679902026Z", + "ingested": "2022-01-01T22:04:46.827632207Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", @@ -1689,7 +1689,7 @@ }, "@timestamp": "2013-01-19T15:18:17.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1709,7 +1709,7 @@ "event": { "duration": 1000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679902414Z", + "ingested": "2022-01-01T22:04:46.827633171Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"67.43.156.14\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"14406\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "start": "2013-01-19T15:18:17.040Z", @@ -1827,7 +1827,7 @@ }, "@timestamp": "2013-01-19T15:18:18.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1850,7 +1850,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679902819Z", + "ingested": "2022-01-01T22:04:46.827634080Z", "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:18.040Z", @@ -1963,7 +1963,7 @@ }, "@timestamp": "2013-01-19T15:18:19.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -1983,7 +1983,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679903398Z", + "ingested": "2022-01-01T22:04:46.827635052Z", "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"33040\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"67.43.156.14\" nat-source-port=\"33040\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "action": "flow_started", @@ -2098,7 +2098,7 @@ }, "@timestamp": "2013-01-19T15:18:20.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -2121,7 +2121,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679903813Z", + "ingested": "2022-01-01T22:04:46.827635946Z", "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2013-01-19T15:18:20.040Z", @@ -2223,7 +2223,7 @@ }, "@timestamp": "2020-11-04T16:23:09.264Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2239,7 +2239,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679904206Z", + "ingested": "2022-01-01T22:04:46.827636823Z", "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"24065\" destination-address=\"67.43.156.14\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"67.43.156.14\" nat-source-port=\"24065\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "action": "flow_started", @@ -2307,7 +2307,7 @@ }, "@timestamp": "2020-11-14T10:12:46.573Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2321,7 +2321,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679904617Z", + "ingested": "2022-01-01T22:04:46.827638841Z", "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@67.43.156.15 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2436,7 +2436,7 @@ }, "@timestamp": "2020-01-19T15:18:20.040Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -2459,7 +2459,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679905009Z", + "ingested": "2022-01-01T22:04:46.827639823Z", "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "start": "2020-01-19T15:18:20.040Z", @@ -2559,7 +2559,7 @@ }, "@timestamp": "2020-07-14T14:17:11.928Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2580,7 +2580,7 @@ "event": { "duration": 60000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679905465Z", + "ingested": "2022-01-01T22:04:46.827640811Z", "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"67.43.156.14\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"67.43.156.14\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-14T14:17:11.928Z", @@ -2689,7 +2689,7 @@ }, "@timestamp": "2020-07-13T16:43:05.041Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2710,7 +2710,7 @@ "event": { "duration": 23755000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679905852Z", + "ingested": "2022-01-01T22:04:46.827641762Z", "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@67.43.156.15 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"67.43.156.15\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2805,7 +2805,7 @@ }, "@timestamp": "2020-07-13T16:12:05.530Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2823,7 +2823,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:11.679906338Z", + "ingested": "2022-01-01T22:04:46.827642792Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"67.43.156.15\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2926,7 +2926,7 @@ }, "@timestamp": "2020-07-13T16:12:05.530Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -2947,7 +2947,7 @@ "event": { "duration": 3000000000, "severity": 14, - "ingested": "2021-12-14T14:47:11.679906745Z", + "ingested": "2022-01-01T22:04:46.827643699Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@67.43.156.15 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"67.43.156.15\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "start": "2020-07-13T16:12:05.530Z", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index 85624c466b3..277b9818a13 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -86,7 +86,7 @@ }, "@timestamp": "2020-03-02T23:13:03.193Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -111,7 +111,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-14T14:47:24.701235269Z", + "ingested": "2022-01-01T22:05:20.564091298Z", "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.193Z", @@ -215,7 +215,7 @@ }, "@timestamp": "2020-03-02T23:13:03.197Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -240,7 +240,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-14T14:47:24.701238566Z", + "ingested": "2022-01-01T22:05:20.564093901Z", "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"67.43.156.14\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "start": "2020-03-02T23:13:03.197Z", @@ -339,7 +339,7 @@ }, "@timestamp": "2007-02-15T09:17:15.719Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -360,7 +360,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-14T14:47:24.701239044Z", + "ingested": "2022-01-01T22:05:20.564095022Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2007-02-15T09:17:15.719Z", @@ -459,7 +459,7 @@ }, "@timestamp": "2017-10-12T21:55:55.792Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -480,7 +480,7 @@ "event": { "duration": 0, "severity": 165, - "ingested": "2021-12-14T14:47:24.701239455Z", + "ingested": "2022-01-01T22:05:20.564095938Z", "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "start": "2017-10-12T21:55:55.792Z", @@ -546,7 +546,7 @@ }, "@timestamp": "2011-10-23T02:06:26.544Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -555,7 +555,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-14T14:47:24.701239828Z", + "ingested": "2022-01-01T22:05:20.564096800Z", "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", @@ -637,7 +637,7 @@ }, "@timestamp": "2011-10-23T16:28:31.696Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -651,7 +651,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-14T14:47:24.701240203Z", + "ingested": "2022-01-01T22:05:20.564097673Z", "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", @@ -733,7 +733,7 @@ }, "@timestamp": "2012-10-23T17:28:31.696Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -747,7 +747,7 @@ }, "event": { "severity": 165, - "ingested": "2021-12-14T14:47:24.701240566Z", + "ingested": "2022-01-01T22:05:20.564098541Z", "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "action": "application_ddos", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index 6c8e5a531ed..a5dd92402da 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -65,7 +65,7 @@ }, "@timestamp": "2018-07-19T23:17:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -79,7 +79,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277269090Z", + "ingested": "2022-01-01T22:05:30.106552643Z", "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP sweep!\" source-address=\"67.43.156.13\" source-port=\"6000\" destination-address=\"67.43.156.14\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "sweep_detected", @@ -154,7 +154,7 @@ }, "@timestamp": "2018-07-19T23:18:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -167,7 +167,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277272744Z", + "ingested": "2022-01-01T22:05:30.106555185Z", "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"WinNuke attack!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" source-port=\"3240\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "action": "attack_detected", @@ -248,7 +248,7 @@ }, "@timestamp": "2018-07-19T23:19:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -261,7 +261,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277273490Z", + "ingested": "2022-01-01T22:05:30.106556219Z", "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=67.43.156.15\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", @@ -342,7 +342,7 @@ }, "@timestamp": "2018-07-19T23:22:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -355,7 +355,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277274175Z", + "ingested": "2022-01-01T22:05:30.106557119Z", "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@67.43.156.15 attack-name=\"UDP flood!\" source-address=\"67.43.156.15\" source-port=\"40001\" destination-address=\"67.43.156.15\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "flood_detected", @@ -433,7 +433,7 @@ }, "@timestamp": "2018-07-19T23:25:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -445,7 +445,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277274871Z", + "ingested": "2022-01-01T22:05:30.106558009Z", "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@67.43.156.15 attack-name=\"ICMP fragment!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "fragment_detected", @@ -526,7 +526,7 @@ }, "@timestamp": "2018-07-19T23:26:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -538,7 +538,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277275626Z", + "ingested": "2022-01-01T22:05:30.106558867Z", "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Record Route IP option!\" source-address=\"67.43.156.15\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "category": [ @@ -612,7 +612,7 @@ }, "@timestamp": "2018-07-19T23:27:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -624,7 +624,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277276220Z", + "ingested": "2022-01-01T22:05:30.106559726Z", "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 6in6!\" source-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" destination-address=\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", @@ -705,7 +705,7 @@ }, "@timestamp": "2018-07-19T23:28:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -718,7 +718,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277276939Z", + "ingested": "2022-01-01T22:05:30.106560575Z", "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@67.43.156.15 attack-name=\"Tunnel GRE 4in4!\" source-address=\"67.43.156.13\" destination-address=\"67.43.156.15\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "tunneling_screen", @@ -752,7 +752,7 @@ }, "@timestamp": "2018-07-20T00:19:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -787,7 +787,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277277582Z", + "ingested": "2022-01-01T22:05:30.106561439Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" destination-address=67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", @@ -821,7 +821,7 @@ }, "@timestamp": "2018-07-20T00:19:02.309Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -859,7 +859,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277278242Z", + "ingested": "2022-01-01T22:05:30.106562313Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "action": "flood_detected", @@ -919,7 +919,7 @@ }, "@timestamp": "2020-07-17T07:54:43.912Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -933,7 +933,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277278908Z", + "ingested": "2022-01-01T22:05:30.106563167Z", "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "scan_detected", @@ -990,7 +990,7 @@ }, "@timestamp": "2020-07-17T08:01:43.006Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -1004,7 +1004,7 @@ }, "event": { "severity": 11, - "ingested": "2021-12-14T14:47:28.277279898Z", + "ingested": "2022-01-01T22:05:30.106564174Z", "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "action": "illegal_tcp_flag_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index f5233973993..8c6c6385ce7 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -63,7 +63,7 @@ }, "@timestamp": "2016-10-17T15:18:11.618Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -77,7 +77,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:32.388824965Z", + "ingested": "2022-01-01T22:05:41.570913432Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"67.43.156.15\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "action": "malware_detected", @@ -161,7 +161,7 @@ }, "@timestamp": "2016-10-17T15:18:11.618Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -178,7 +178,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:32.388827014Z", + "ingested": "2022-01-01T22:05:41.570916051Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"67.43.156.15\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "action": "malware_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index d83fd6e871a..bef32a90b81 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -55,7 +55,7 @@ }, "@timestamp": "2016-02-18T01:32:50.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -75,7 +75,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324279966Z", + "ingested": "2022-01-01T22:05:43.547325455Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", @@ -145,7 +145,7 @@ }, "@timestamp": "2016-02-18T01:32:50.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -165,7 +165,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324282137Z", + "ingested": "2022-01-01T22:05:43.547328868Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "category": [ @@ -234,7 +234,7 @@ "name": "www.eicar.org/download/eicar.com" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -251,7 +251,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324282547Z", + "ingested": "2022-01-01T22:05:43.547330144Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", @@ -317,7 +317,7 @@ "name": "www.google.com/" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -331,7 +331,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324282893Z", + "ingested": "2022-01-01T22:05:43.547331247Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@67.43.156.15 source-address=\"67.43.156.14\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "category": [ @@ -380,7 +380,7 @@ "name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -394,7 +394,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324283231Z", + "ingested": "2022-01-01T22:05:43.547332310Z", "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@67.43.156.15 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "category": [ @@ -422,7 +422,7 @@ }, "@timestamp": "2016-02-18T01:33:50.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -455,7 +455,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:33.324283585Z", + "ingested": "2022-01-01T22:05:43.547333345Z", "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "antispam_filter", @@ -525,7 +525,7 @@ "name": "test.cmd" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -542,7 +542,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:33.324283945Z", + "ingested": "2022-01-01T22:05:43.547334399Z", "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@67.43.156.15 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.168.2.3\" source-port=\"58071\" destination-address=\"192.168.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "action": "content_filter", @@ -613,7 +613,7 @@ }, "@timestamp": "2016-02-19T01:32:50.391Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "user": [ @@ -633,7 +633,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324284279Z", + "ingested": "2022-01-01T22:05:43.547335445Z", "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@67.43.156.15 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"67.43.156.13\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "action": "web_filter", @@ -705,7 +705,7 @@ "name": "www.eicar.org/download/eicar.com" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -722,7 +722,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324284629Z", + "ingested": "2022-01-01T22:05:43.547336505Z", "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@67.43.156.15 source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "action": "virus_detected", @@ -797,7 +797,7 @@ }, "@timestamp": "2020-07-14T14:16:18.345Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -814,7 +814,7 @@ }, "event": { "severity": 14, - "ingested": "2021-12-14T14:47:33.324285024Z", + "ingested": "2022-01-01T22:05:43.547337561Z", "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"67.43.156.14\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", @@ -887,7 +887,7 @@ }, "@timestamp": "2020-07-14T14:16:29.541Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "hosts": [ @@ -904,7 +904,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324285416Z", + "ingested": "2022-01-01T22:05:43.547338604Z", "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"67.43.156.13\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", @@ -979,7 +979,7 @@ "name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "related": { "ip": [ @@ -993,7 +993,7 @@ }, "event": { "severity": 12, - "ingested": "2021-12-14T14:47:33.324285896Z", + "ingested": "2022-01-01T22:05:43.547339739Z", "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "category": [ diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml index 391555a9141..891dd4c68f5 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml @@ -8,7 +8,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' - rename: field: message target_field: event.original @@ -16,11 +16,11 @@ processors: - grok: field: event.original patterns: - - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:_temp_.original}\]$' # split Juniper-SRX fields - kv: - field: log.original + field: _temp_.original field_split: " (?=[a-z0-9\\_\\-]+=)" value_split: "=" prefix: "juniper.srx." @@ -97,9 +97,6 @@ processors: type: long target_field: event.severity ignore_failure: true - - remove: - field: log.original - ignore_missing: true ##################### ## ECS Log Mapping ## diff --git a/packages/juniper/data_stream/srx/fields/ecs.yml b/packages/juniper/data_stream/srx/fields/ecs.yml index 0cce6bbbbd6..5cd7f3eeb7d 100644 --- a/packages/juniper/data_stream/srx/fields/ecs.yml +++ b/packages/juniper/data_stream/srx/fields/ecs.yml @@ -516,26 +516,6 @@ name: host.type - external: ecs name: host.uptime -- external: ecs - name: host.user.domain -- external: ecs - name: host.user.email -- external: ecs - name: host.user.full_name -- external: ecs - name: host.user.group.domain -- external: ecs - name: host.user.group.id -- external: ecs - name: host.user.group.name -- external: ecs - name: host.user.hash -- external: ecs - name: host.user.id -- external: ecs - name: host.user.name -- external: ecs - name: host.user.roles - external: ecs name: http.request.body.bytes - external: ecs @@ -570,14 +550,6 @@ name: log.level - external: ecs name: log.logger -- external: ecs - name: log.origin.file.line -- external: ecs - name: log.origin.file.name -- external: ecs - name: log.origin.function -- external: ecs - name: log.original - external: ecs name: log.syslog - external: ecs @@ -838,8 +810,6 @@ name: process.parent.pgid - external: ecs name: process.parent.pid -- external: ecs - name: process.parent.ppid - external: ecs name: process.parent.start - external: ecs @@ -871,7 +841,7 @@ - external: ecs name: process.pid - external: ecs - name: process.ppid + name: process.parent.pid - external: ecs name: process.start - external: ecs diff --git a/packages/juniper/data_stream/srx/sample_event.json b/packages/juniper/data_stream/srx/sample_event.json index ae69f863280..c4a4a8fe26d 100644 --- a/packages/juniper/data_stream/srx/sample_event.json +++ b/packages/juniper/data_stream/srx/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2016-02-18T01:32:50.391Z", "agent": { - "ephemeral_id": "2876d482-8245-456b-833a-6aff7be73223", - "id": "ea40d449-2727-40b0-90ad-be273a35f475", + "ephemeral_id": "f4aafd62-4f5e-42c5-aaff-1dca636d5272", + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.0.0-beta1" }, "client": { "ip": "192.168.1.100", @@ -17,16 +17,28 @@ "type": "logs" }, "destination": { - "ip": "103.235.46.39", + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", "port": 80 }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "ea40d449-2727-40b0-90ad-be273a35f475", - "snapshot": true, - "version": "8.0.0" + "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba", + "snapshot": false, + "version": "8.0.0-beta1" }, "event": { "action": "web_filter", @@ -36,7 +48,7 @@ "malware" ], "dataset": "juniper.srx", - "ingested": "2021-12-06T12:33:40Z", + "ingested": "2022-01-01T22:18:04Z", "kind": "alert", "outcome": "success", "severity": 12, @@ -48,7 +60,7 @@ ] }, "input": { - "type": "log" + "type": "udp" }, "juniper": { "srx": { @@ -60,11 +72,10 @@ } }, "log": { - "file": { - "path": "/tmp/service_logs/juniper-srx.log" - }, "level": "warning", - "offset": 0 + "source": { + "address": "172.18.0.7:37846" + } }, "observer": { "name": "utm-srx550-b", @@ -78,14 +89,14 @@ ], "ip": [ "192.168.1.100", - "103.235.46.39" + "67.43.156.13" ], "user": [ "user01" ] }, "server": { - "ip": "103.235.46.39", + "ip": "67.43.156.13", "port": 80 }, "source": { diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index 1bb6ed66496..0fd01b060f3 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -60,7 +60,7 @@ The following processes and tags are supported: | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | | client.bytes | Bytes sent from the client to the server. | long | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | @@ -94,7 +94,7 @@ The following processes and tags are supported: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | @@ -116,7 +116,7 @@ The following processes and tags are supported: | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | @@ -300,7 +300,7 @@ The following processes and tags are supported: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -312,20 +312,10 @@ The following processes and tags are supported: | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | -| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| host.user.email | User email address. | keyword | -| host.user.full_name | User's full name, if available. | keyword | -| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| host.user.group.name | Name of the group. | keyword | -| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| host.user.id | Unique identifier of the user. | keyword | -| host.user.name | Short name or login of the user. | keyword | -| host.user.roles | Array of user roles at the time of the event. | keyword | | http.request.body.bytes | Size in bytes of the request body. | long | | http.request.body.content | The full HTTP request body. | wildcard | | http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | http.response.body.bytes | Size in bytes of the response body. | long | | http.response.body.content | The full HTTP response body. | wildcard | @@ -437,10 +427,6 @@ The following processes and tags are supported: | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Byte offset of the log line within its file. | long | -| log.origin.file.line | The line number of the file containing the source code which originated the log event. | integer | -| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | -| log.origin.function | The name of the function or method which originated the log event. | keyword | -| log.original | Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -449,7 +435,7 @@ The following processes and tags are supported: | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | @@ -460,9 +446,9 @@ The following processes and tags are supported: | network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | @@ -571,7 +557,6 @@ The following processes and tags are supported: | process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | process.parent.pid | Process id. | long | -| process.parent.ppid | Parent process' pid. | long | | process.parent.start | The time the process started. | date | | process.parent.thread.id | Thread ID. | long | | process.parent.thread.name | Thread name. | keyword | @@ -587,7 +572,6 @@ The following processes and tags are supported: | process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | | process.start | The time the process started. | date | | process.thread.id | Thread ID. | long | | process.thread.name | Thread name. | keyword | @@ -619,7 +603,7 @@ The following processes and tags are supported: | server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | server.as.organization.name | Organization name. | keyword | | server.bytes | Bytes sent from the server to the client. | long | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.geo.city_name | City name. | keyword | | server.geo.continent_name | Name of the continent. | keyword | | server.geo.country_iso_code | Country ISO code. | keyword | @@ -657,7 +641,7 @@ The following processes and tags are supported: | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -867,7 +851,7 @@ The `junos` dataset collects Juniper JUNOS logs. | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | | client.bytes | Bytes sent from the client to the server. | long | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | @@ -901,7 +885,7 @@ The `junos` dataset collects Juniper JUNOS logs. | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | @@ -923,7 +907,7 @@ The `junos` dataset collects Juniper JUNOS logs. | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | @@ -1107,7 +1091,7 @@ The `junos` dataset collects Juniper JUNOS logs. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -1119,20 +1103,10 @@ The `junos` dataset collects Juniper JUNOS logs. | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | host.uptime | Seconds the host has been up. | long | -| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| host.user.email | User email address. | keyword | -| host.user.full_name | User's full name, if available. | keyword | -| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | -| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | -| host.user.group.name | Name of the group. | keyword | -| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | -| host.user.id | Unique identifier of the user. | keyword | -| host.user.name | Short name or login of the user. | keyword | -| host.user.roles | Array of user roles at the time of the event. | keyword | | http.request.body.bytes | Size in bytes of the request body. | long | | http.request.body.content | The full HTTP request body. | wildcard | | http.request.bytes | Total size in bytes of the request (body and headers). | long | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | http.response.body.bytes | Size in bytes of the response body. | long | | http.response.body.content | The full HTTP response body. | wildcard | @@ -1244,10 +1218,6 @@ The `junos` dataset collects Juniper JUNOS logs. | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword | | log.offset | Byte offset of the log line within its file. | long | -| log.origin.file.line | The line number of the file containing the source code which originated the log event. | integer | -| log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | -| log.origin.function | The name of the function or method which originated the log event. | keyword | -| log.original | Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | @@ -1256,7 +1226,7 @@ The `junos` dataset collects Juniper JUNOS logs. | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | @@ -1267,9 +1237,9 @@ The `junos` dataset collects Juniper JUNOS logs. | network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | @@ -1378,7 +1348,6 @@ The `junos` dataset collects Juniper JUNOS logs. | process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | process.parent.pid | Process id. | long | -| process.parent.ppid | Parent process' pid. | long | | process.parent.start | The time the process started. | date | | process.parent.thread.id | Thread ID. | long | | process.parent.thread.name | Thread name. | keyword | @@ -1394,7 +1363,6 @@ The `junos` dataset collects Juniper JUNOS logs. | process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | | process.start | The time the process started. | date | | process.thread.id | Thread ID. | long | | process.thread.name | Thread name. | keyword | @@ -1426,7 +1394,7 @@ The `junos` dataset collects Juniper JUNOS logs. | server.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | server.as.organization.name | Organization name. | keyword | | server.bytes | Bytes sent from the server to the client. | long | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.geo.city_name | City name. | keyword | | server.geo.continent_name | Name of the continent. | keyword | | server.geo.country_iso_code | Country ISO code. | keyword | @@ -1464,7 +1432,7 @@ The `junos` dataset collects Juniper JUNOS logs. | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -1662,7 +1630,7 @@ The `netscreen` dataset collects Netscreen logs. | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -1686,7 +1654,7 @@ The `netscreen` dataset collects Netscreen logs. | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | @@ -1744,26 +1712,25 @@ The `netscreen` dataset collects Netscreen logs. | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | -| log.original | Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.interface.name | | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.product | The product name of the observer. | keyword | @@ -1772,9 +1739,9 @@ The `netscreen` dataset collects Netscreen logs. | observer.version | Observer version. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.pid | Process id. | long | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -2452,7 +2419,7 @@ The `netscreen` dataset collects Netscreen logs. | rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | | rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -2461,7 +2428,7 @@ The `netscreen` dataset collects Netscreen logs. | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 4bc71c38892..36d24f6b91e 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,14 +1,14 @@ format_version: 1.0.0 name: juniper title: Juniper Logs -version: 1.0.7 +version: 1.1.0 description: Deprecated. Use a specific Juniper package instead. categories: ["network", "security"] release: ga license: basic type: integration conditions: - kibana.version: "^8.0.0" + kibana.version: ^8.0.0 policy_templates: - name: juniper title: Juniper logs