diff --git a/packages/cisco/_dev/build/build.yml b/packages/cisco/_dev/build/build.yml index 08d85edcf9a..809e76063e9 100644 --- a/packages/cisco/_dev/build/build.yml +++ b/packages/cisco/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.12 + reference: git@8.0 diff --git a/packages/cisco/changelog.yml b/packages/cisco/changelog.yml index 7209b89c291..ab1e00de301 100644 --- a/packages/cisco/changelog.yml +++ b/packages/cisco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.13.0" + changes: + - description: Update to ECS 8.0.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2577 - version: "0.12.5" changes: - description: Regenerate test files using the new GeoIP database diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index eaa049445fa..26c8e662c42 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -1,5 +1,5 @@ - external: ecs - name: "@timestamp" + name: '@timestamp' - external: ecs name: client.user.name - external: ecs diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index 6914e98ef9d..1e4950c9bfe 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -1,5 +1,5 @@ - external: ecs - name: "@timestamp" + name: '@timestamp' - external: ecs name: client.user.name - external: ecs diff --git a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json index 09b45c7b326..771cad5d353 100644 --- a/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/cisco/data_stream/meraki/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1201 +1,1201 @@ { "expected": [ { - "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", - "event": { - "ingested": "2021-12-14T14:38:02.304888658Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694140861Z" + }, + "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", "tags": [ "preserve_original_event" ] }, { - "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", - "event": { - "ingested": "2021-12-14T14:38:02.304891257Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694143803Z" }, + "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", "tags": [ "preserve_original_event" ] }, { - "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", - "event": { - "ingested": "2021-12-14T14:38:02.304891737Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694144871Z" }, + "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", "tags": [ "preserve_original_event" ] }, { - "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", - "event": { - "ingested": "2021-12-14T14:38:02.304892205Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694145780Z" }, + "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", "tags": [ "preserve_original_event" ] }, { - "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", - "event": { - "ingested": "2021-12-14T14:38:02.304892580Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694146746Z" + }, + "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", "tags": [ "preserve_original_event" ] }, { - "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", - "event": { - "ingested": "2021-12-14T14:38:02.304892970Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694147626Z" + }, + "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", "tags": [ "preserve_original_event" ] }, { - "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", - "event": { - "ingested": "2021-12-14T14:38:02.304893364Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694148527Z" + }, + "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", "tags": [ "preserve_original_event" ] }, { - "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", - "event": { - "ingested": "2021-12-14T14:38:02.304893748Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694149398Z" }, + "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", "tags": [ "preserve_original_event" ] }, { - "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", - "event": { - "ingested": "2021-12-14T14:38:02.304894278Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694150265Z" }, + "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", "tags": [ "preserve_original_event" ] }, { - "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", - "event": { - "ingested": "2021-12-14T14:38:02.304894735Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694151123Z" }, + "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", "tags": [ "preserve_original_event" ] }, { - "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", - "event": { - "ingested": "2021-12-14T14:38:02.304895120Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694151983Z" + }, + "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", "tags": [ "preserve_original_event" ] }, { - "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", - "event": { - "ingested": "2021-12-14T14:38:02.304895734Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694153068Z" + }, + "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", "tags": [ "preserve_original_event" ] }, { - "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", - "event": { - "ingested": "2021-12-14T14:38:02.304896208Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694154004Z" }, + "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", "tags": [ "preserve_original_event" ] }, { - "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", - "event": { - "ingested": "2021-12-14T14:38:02.304896613Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694154871Z" }, + "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", "tags": [ "preserve_original_event" ] }, { - "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", - "event": { - "ingested": "2021-12-14T14:38:02.304897059Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694155726Z" + }, + "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", "tags": [ "preserve_original_event" ] }, { - "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", - "event": { - "ingested": "2021-12-14T14:38:02.304897462Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694156667Z" + }, + "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", "tags": [ "preserve_original_event" ] }, { - "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", - "event": { - "ingested": "2021-12-14T14:38:02.304897998Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694157685Z" }, + "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", "tags": [ "preserve_original_event" ] }, { - "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", - "event": { - "ingested": "2021-12-14T14:38:02.304898400Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694158582Z" }, + "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", "tags": [ "preserve_original_event" ] }, { - "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", - "event": { - "ingested": "2021-12-14T14:38:02.304898808Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694159429Z" }, + "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", "tags": [ "preserve_original_event" ] }, { - "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", - "event": { - "ingested": "2021-12-14T14:38:02.304899200Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694160282Z" + }, + "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", "tags": [ "preserve_original_event" ] }, { - "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", - "event": { - "ingested": "2021-12-14T14:38:02.304899594Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694161135Z" }, + "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", "tags": [ "preserve_original_event" ] }, { - "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", - "event": { - "ingested": "2021-12-14T14:38:02.304899981Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694161988Z" }, + "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", "tags": [ "preserve_original_event" ] }, { - "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", - "event": { - "ingested": "2021-12-14T14:38:02.304900385Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694162851Z" + }, + "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", "tags": [ "preserve_original_event" ] }, { - "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", - "event": { - "ingested": "2021-12-14T14:38:02.304900901Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694163856Z" + }, + "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", "tags": [ "preserve_original_event" ] }, { - "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", - "event": { - "ingested": "2021-12-14T14:38:02.304901289Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694164723Z" + }, + "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", "tags": [ "preserve_original_event" ] }, { - "message": "nisiuta 1484921656.roid inibusB flows cancel", - "event": { - "ingested": "2021-12-14T14:38:02.304901677Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694165571Z" }, + "message": "nisiuta 1484921656.roid inibusB flows cancel", "tags": [ "preserve_original_event" ] }, { - "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", - "event": { - "ingested": "2021-12-14T14:38:02.304902066Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694166423Z" }, + "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", "tags": [ "preserve_original_event" ] }, { - "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", - "event": { - "ingested": "2021-12-14T14:38:02.304902454Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694167278Z" + }, + "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", "tags": [ "preserve_original_event" ] }, { - "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", - "event": { - "ingested": "2021-12-14T14:38:02.304902840Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694168123Z" }, + "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", "tags": [ "preserve_original_event" ] }, { - "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", - "event": { - "ingested": "2021-12-14T14:38:02.304903226Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694168973Z" }, + "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", "tags": [ "preserve_original_event" ] }, { - "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", - "event": { - "ingested": "2021-12-14T14:38:02.304903622Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694169845Z" }, + "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", "tags": [ "preserve_original_event" ] }, { - "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", - "event": { - "ingested": "2021-12-14T14:38:02.304904009Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694170687Z" + }, + "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", "tags": [ "preserve_original_event" ] }, { - "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", - "event": { - "ingested": "2021-12-14T14:38:02.304904386Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694171531Z" + }, + "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", "tags": [ "preserve_original_event" ] }, { - "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", - "event": { - "ingested": "2021-12-14T14:38:02.304904784Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694172384Z" + }, + "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", "tags": [ "preserve_original_event" ] }, { - "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", - "event": { - "ingested": "2021-12-14T14:38:02.304905286Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694173389Z" }, + "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", "tags": [ "preserve_original_event" ] }, { - "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", - "event": { - "ingested": "2021-12-14T14:38:02.304905676Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694174259Z" }, + "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", "tags": [ "preserve_original_event" ] }, { - "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", - "event": { - "ingested": "2021-12-14T14:38:02.304906058Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694175121Z" }, + "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", "tags": [ "preserve_original_event" ] }, { - "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", - "event": { - "ingested": "2021-12-14T14:38:02.304906468Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694175983Z" + }, + "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", "tags": [ "preserve_original_event" ] }, { - "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", - "event": { - "ingested": "2021-12-14T14:38:02.304906856Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694176848Z" + }, + "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", "tags": [ "preserve_original_event" ] }, { - "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", - "event": { - "ingested": "2021-12-14T14:38:02.304907244Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694177712Z" }, + "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", "tags": [ "preserve_original_event" ] }, { - "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", - "event": { - "ingested": "2021-12-14T14:38:02.304907626Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694178573Z" }, + "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", "tags": [ "preserve_original_event" ] }, { - "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", - "event": { - "ingested": "2021-12-14T14:38:02.304908022Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694179454Z" + }, + "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", "tags": [ "preserve_original_event" ] }, { - "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", - "event": { - "ingested": "2021-12-14T14:38:02.304908479Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694180298Z" + }, + "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", "tags": [ "preserve_original_event" ] }, { - "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", - "event": { - "ingested": "2021-12-14T14:38:02.304908887Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694181141Z" }, + "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", "tags": [ "preserve_original_event" ] }, { - "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", - "event": { - "ingested": "2021-12-14T14:38:02.304910929Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694182020Z" }, + "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", "tags": [ "preserve_original_event" ] }, { - "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", - "event": { - "ingested": "2021-12-14T14:38:02.304911441Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694182868Z" }, + "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", "tags": [ "preserve_original_event" ] }, { - "message": "esci 1510855695.uov quaeab_ events IDS: moles", - "event": { - "ingested": "2021-12-14T14:38:02.304911850Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694183732Z" + }, + "message": "esci 1510855695.uov quaeab_ events IDS: moles", "tags": [ "preserve_original_event" ] }, { - "message": "accusa 1512090649.natu liquid events IDS: enim", - "event": { - "ingested": "2021-12-14T14:38:02.304912241Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694184592Z" + }, + "message": "accusa 1512090649.natu liquid events IDS: enim", "tags": [ "preserve_original_event" ] }, { - "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", - "event": { - "ingested": "2021-12-14T14:38:02.304912625Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694185442Z" }, + "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", "tags": [ "preserve_original_event" ] }, { - "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", - "event": { - "ingested": "2021-12-14T14:38:02.304913013Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694186287Z" }, + "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", "tags": [ "preserve_original_event" ] }, { - "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", - "event": { - "ingested": "2021-12-14T14:38:02.304913531Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694187266Z" + }, + "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", "tags": [ "preserve_original_event" ] }, { - "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", - "event": { - "ingested": "2021-12-14T14:38:02.304913909Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694188127Z" + }, + "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", "tags": [ "preserve_original_event" ] }, { - "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", - "event": { - "ingested": "2021-12-14T14:38:02.304914287Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694189005Z" }, + "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", "tags": [ "preserve_original_event" ] }, { - "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", - "event": { - "ingested": "2021-12-14T14:38:02.304914662Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694189861Z" }, + "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", "tags": [ "preserve_original_event" ] }, { - "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", - "event": { - "ingested": "2021-12-14T14:38:02.304915045Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694190703Z" }, + "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", "tags": [ "preserve_original_event" ] }, { - "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", - "event": { - "ingested": "2021-12-14T14:38:02.304915427Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, + "event": { + "ingested": "2022-01-25T12:04:26.694191627Z" + }, + "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", "tags": [ "preserve_original_event" ] }, { - "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", - "event": { - "ingested": "2021-12-14T14:38:02.304915812Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694192466Z" }, + "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", "tags": [ "preserve_original_event" ] }, - { - "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", - "event": { - "ingested": "2021-12-14T14:38:02.304916197Z" - }, + { "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694193314Z" }, + "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", "tags": [ "preserve_original_event" ] }, { - "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", - "event": { - "ingested": "2021-12-14T14:38:02.304916603Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694194328Z" }, + "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", "tags": [ "preserve_original_event" ] }, { - "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", - "event": { - "ingested": "2021-12-14T14:38:02.304916996Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694195391Z" }, + "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", "tags": [ "preserve_original_event" ] }, { - "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", - "event": { - "ingested": "2021-12-14T14:38:02.304917383Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694196244Z" }, + "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", "tags": [ "preserve_original_event" ] }, { - "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", - "event": { - "ingested": "2021-12-14T14:38:02.304917767Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694197106Z" }, + "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", "tags": [ "preserve_original_event" ] }, { - "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", - "event": { - "ingested": "2021-12-14T14:38:02.304918189Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694197960Z" }, + "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", "tags": [ "preserve_original_event" ] }, { - "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", - "event": { - "ingested": "2021-12-14T14:38:02.304918580Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694198809Z" }, + "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", "tags": [ "preserve_original_event" ] }, { - "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", - "event": { - "ingested": "2021-12-14T14:38:02.304918963Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694199671Z" }, + "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", "tags": [ "preserve_original_event" ] }, { - "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", - "event": { - "ingested": "2021-12-14T14:38:02.304919350Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694200549Z" }, + "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", "tags": [ "preserve_original_event" ] }, { - "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", - "event": { - "ingested": "2021-12-14T14:38:02.304919728Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694201418Z" }, + "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", "tags": [ "preserve_original_event" ] }, { - "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", - "event": { - "ingested": "2021-12-14T14:38:02.304920117Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694202267Z" }, + "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", "tags": [ "preserve_original_event" ] }, { - "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", - "event": { - "ingested": "2021-12-14T14:38:02.304920501Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694203122Z" }, + "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", "tags": [ "preserve_original_event" ] }, { - "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", - "event": { - "ingested": "2021-12-14T14:38:02.304920905Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694203979Z" }, + "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", "tags": [ "preserve_original_event" ] }, { - "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", - "event": { - "ingested": "2021-12-14T14:38:02.304921287Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694204858Z" }, + "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", "tags": [ "preserve_original_event" ] }, { - "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", - "event": { - "ingested": "2021-12-14T14:38:02.304921709Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694205700Z" }, + "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", "tags": [ "preserve_original_event" ] }, { - "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", - "event": { - "ingested": "2021-12-14T14:38:02.304922082Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694206556Z" }, + "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", "tags": [ "preserve_original_event" ] }, { - "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", - "event": { - "ingested": "2021-12-14T14:38:02.304922518Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694207409Z" }, + "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", "tags": [ "preserve_original_event" ] }, { - "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", - "event": { - "ingested": "2021-12-14T14:38:02.304923062Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694208416Z" }, + "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", "tags": [ "preserve_original_event" ] }, { - "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", - "event": { - "ingested": "2021-12-14T14:38:02.304923475Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694209298Z" }, + "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", "tags": [ "preserve_original_event" ] }, { - "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", - "event": { - "ingested": "2021-12-14T14:38:02.304923855Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694210163Z" }, + "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", "tags": [ "preserve_original_event" ] }, { - "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", - "event": { - "ingested": "2021-12-14T14:38:02.304924252Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694211021Z" }, + "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", "tags": [ "preserve_original_event" ] }, { - "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", - "event": { - "ingested": "2021-12-14T14:38:02.304924636Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694211879Z" }, + "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", "tags": [ "preserve_original_event" ] }, { - "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", - "event": { - "ingested": "2021-12-14T14:38:02.304925049Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694212731Z" }, + "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", "tags": [ "preserve_original_event" ] }, { - "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", - "event": { - "ingested": "2021-12-14T14:38:02.304925434Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694213581Z" }, + "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", "tags": [ "preserve_original_event" ] }, { - "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", - "event": { - "ingested": "2021-12-14T14:38:02.304925820Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694214435Z" }, + "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", "tags": [ "preserve_original_event" ] }, { - "message": "ercitati 1555314049.atem serro flows cancel", - "event": { - "ingested": "2021-12-14T14:38:02.304926200Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694215310Z" }, + "message": "ercitati 1555314049.atem serro flows cancel", "tags": [ "preserve_original_event" ] }, { - "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", - "event": { - "ingested": "2021-12-14T14:38:02.304926605Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694216168Z" }, + "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", "tags": [ "preserve_original_event" ] }, { - "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", - "event": { - "ingested": "2021-12-14T14:38:02.304927048Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694217034Z" }, + "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", "tags": [ "preserve_original_event" ] }, { - "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", - "event": { - "ingested": "2021-12-14T14:38:02.304927430Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694217881Z" }, + "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", "tags": [ "preserve_original_event" ] }, { - "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", - "event": { - "ingested": "2021-12-14T14:38:02.304927814Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694218727Z" }, + "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", "tags": [ "preserve_original_event" ] }, { - "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", - "event": { - "ingested": "2021-12-14T14:38:02.304928196Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694219588Z" }, + "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", "tags": [ "preserve_original_event" ] }, { - "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", - "event": { - "ingested": "2021-12-14T14:38:02.304928580Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694220435Z" }, + "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", "tags": [ "preserve_original_event" ] }, { - "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", - "event": { - "ingested": "2021-12-14T14:38:02.304928970Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694221362Z" }, + "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", "tags": [ "preserve_original_event" ] }, { - "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", - "event": { - "ingested": "2021-12-14T14:38:02.304929351Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694222247Z" }, + "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", "tags": [ "preserve_original_event" ] }, { - "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", - "event": { - "ingested": "2021-12-14T14:38:02.304929739Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694223132Z" }, + "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", "tags": [ "preserve_original_event" ] }, { - "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", - "event": { - "ingested": "2021-12-14T14:38:02.304930126Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694223991Z" }, + "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", "tags": [ "preserve_original_event" ] }, { - "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", - "event": { - "ingested": "2021-12-14T14:38:02.304930522Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694224852Z" }, + "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", "tags": [ "preserve_original_event" ] }, { - "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", - "event": { - "ingested": "2021-12-14T14:38:02.304930916Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694225698Z" }, + "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", "tags": [ "preserve_original_event" ] }, { - "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", - "event": { - "ingested": "2021-12-14T14:38:02.304931326Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694226592Z" }, + "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", "tags": [ "preserve_original_event" ] }, { - "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", - "event": { - "ingested": "2021-12-14T14:38:02.304931717Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694227503Z" }, + "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", "tags": [ "preserve_original_event" ] }, { - "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", - "event": { - "ingested": "2021-12-14T14:38:02.304932105Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694228348Z" }, + "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", "tags": [ "preserve_original_event" ] }, { - "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", - "event": { - "ingested": "2021-12-14T14:38:02.304932498Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694229194Z" }, + "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", "tags": [ "preserve_original_event" ] }, { - "message": "orr 1576308271.pre aute events IDS: rchite", - "event": { - "ingested": "2021-12-14T14:38:02.304932891Z" - }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "ingested": "2022-01-25T12:04:26.694230048Z" }, + "message": "orr 1576308271.pre aute events IDS: rchite", "tags": [ "preserve_original_event" ] diff --git a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs index 0e66aa4e1a6..7789762c763 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/stream.yml.hbs @@ -19,7 +19,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -830,7 +829,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1022,7 +1021,7 @@ processors: } var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "syslog.facility.code", setter: fld_set}]}, + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, @@ -1042,8 +1041,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1101,11 +1100,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1115,7 +1114,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1123,8 +1122,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2563,8 +2562,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs index 89a1f44213b..c835db3270b 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/tcp.yml.hbs @@ -16,7 +16,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -827,7 +826,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1039,8 +1038,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1098,11 +1097,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1111,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1120,8 +1119,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2560,8 +2559,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs index 97efe60d2c1..d88b14f8023 100644 --- a/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/meraki/agent/stream/udp.yml.hbs @@ -16,7 +16,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -827,7 +826,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1019,7 +1018,7 @@ processors: } var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "syslog.facility.code", setter: fld_set}]}, + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, @@ -1039,8 +1038,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1098,11 +1097,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1111,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1120,8 +1119,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2560,8 +2559,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml index b36accb3dfa..a932e4cc8eb 100644 --- a/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/meraki/elasticsearch/ingest_pipeline/default.yml @@ -8,7 +8,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' # User agent - user_agent: field: user_agent.original diff --git a/packages/cisco/data_stream/meraki/fields/ecs.yml b/packages/cisco/data_stream/meraki/fields/ecs.yml index bf1d2ece2d0..1da8c39a341 100644 --- a/packages/cisco/data_stream/meraki/fields/ecs.yml +++ b/packages/cisco/data_stream/meraki/fields/ecs.yml @@ -110,8 +110,6 @@ name: http.request.referrer - external: ecs name: log.level -- external: ecs - name: log.original - external: ecs name: log.syslog.facility.code - external: ecs @@ -153,7 +151,7 @@ - external: ecs name: process.pid - external: ecs - name: process.ppid + name: process.parent.pid - external: ecs name: process.title - external: ecs diff --git a/packages/cisco/data_stream/meraki/sample_event.json b/packages/cisco/data_stream/meraki/sample_event.json index e222e756a8b..8e037da8372 100644 --- a/packages/cisco/data_stream/meraki/sample_event.json +++ b/packages/cisco/data_stream/meraki/sample_event.json @@ -1,12 +1,12 @@ { "@timestamp": "2016-01-29T06:09:59.000Z", "agent": { - "ephemeral_id": "9b0d0418-f480-4f0b-8017-4cb9d88c01d7", + "ephemeral_id": "0f004ed2-0b2a-4215-8b24-e652cef37253", "hostname": "docker-fleet-agent", - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "7.16.2" }, "data_stream": { "dataset": "cisco.meraki", @@ -20,31 +20,28 @@ "port": 5293 }, "ecs": { - "version": "1.10.0" + "version": "1.12.0" }, "elastic_agent": { - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", - "snapshot": true, - "version": "7.14.0" + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" }, "event": { "action": "deny\n", "agent_id_status": "verified", "code": "security_event", "dataset": "cisco.meraki", - "ingested": "2021-07-19T09:02:10.469724425Z", + "ingested": "2022-01-25T09:01:37Z", "original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny\n", "timezone": "+00:00" }, - "host": { - "name": "docker-fleet-agent" - }, "input": { "type": "udp" }, "log": { "source": { - "address": "172.23.0.4:44394" + "address": "172.19.0.4:59238" } }, "observer": { @@ -53,9 +50,6 @@ "vendor": "Cisco" }, "related": { - "hosts": [ - "docker-fleet-agent" - ], "ip": [ "10.193.124.51", "10.15.44.253" diff --git a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs index b1c2540b138..d9989579016 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/stream.yml.hbs @@ -19,7 +19,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -830,7 +829,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1042,8 +1041,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1101,11 +1100,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1115,7 +1114,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1123,8 +1122,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2557,8 +2556,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs index 63468d0ad05..9de232f8f20 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/tcp.yml.hbs @@ -16,7 +16,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -827,7 +826,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1039,8 +1038,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1098,11 +1097,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1111,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1120,8 +1119,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2554,8 +2553,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs index 6ec171d383e..64f17de3e0e 100644 --- a/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs +++ b/packages/cisco/data_stream/nexus/agent/stream/udp.yml.hbs @@ -16,7 +16,6 @@ fields: {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} - processors: {{#if processors}} {{processors}} @@ -827,7 +826,7 @@ processors: if (value != null && (result = fn(value))!== undefined) { evt.Put(FIELDS_PREFIX + dst, result); } else { - console.error(fn.name + " failed for '" + value + "'"); + console.debug(fn.name + " failed for '" + value + "'"); } }; } @@ -1039,8 +1038,8 @@ processors: "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1098,11 +1097,11 @@ processors: "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, @@ -1112,7 +1111,7 @@ processors: "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, "product": {to:[{field: "observer.product", setter: fld_set}]}, "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, @@ -1120,8 +1119,8 @@ processors: "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, @@ -2554,8 +2553,8 @@ processors: builder.Add(save_flags); builder.Add(strip_syslog_priority); builder.Add(chain1); - builder.Add(populate_fields); builder.Add(restore_flags); + builder.Add(populate_fields); var chain = builder.Build(); return { process: chain.Run, diff --git a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml index b981fed4aca..a9946fcdb8c 100644 --- a/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco/data_stream/nexus/elasticsearch/ingest_pipeline/default.yml @@ -8,7 +8,7 @@ processors: value: '{{_ingest.timestamp}}' - set: field: ecs.version - value: '1.12.0' + value: '8.0.0' # User agent - user_agent: field: user_agent.original diff --git a/packages/cisco/data_stream/nexus/fields/ecs.yml b/packages/cisco/data_stream/nexus/fields/ecs.yml index bf1d2ece2d0..1da8c39a341 100644 --- a/packages/cisco/data_stream/nexus/fields/ecs.yml +++ b/packages/cisco/data_stream/nexus/fields/ecs.yml @@ -110,8 +110,6 @@ name: http.request.referrer - external: ecs name: log.level -- external: ecs - name: log.original - external: ecs name: log.syslog.facility.code - external: ecs @@ -153,7 +151,7 @@ - external: ecs name: process.pid - external: ecs - name: process.ppid + name: process.parent.pid - external: ecs name: process.title - external: ecs diff --git a/packages/cisco/data_stream/nexus/sample_event.json b/packages/cisco/data_stream/nexus/sample_event.json index 823efdee2e8..5bbeb4b8061 100644 --- a/packages/cisco/data_stream/nexus/sample_event.json +++ b/packages/cisco/data_stream/nexus/sample_event.json @@ -1,12 +1,12 @@ { - "@timestamp": "2021-07-19T09:05:27.398Z", + "@timestamp": "2022-01-25T08:47:14.944Z", "agent": { - "ephemeral_id": "9cae1736-608e-4d97-9238-c5acffac7d36", + "ephemeral_id": "091f3442-1209-4033-8434-e8c731c8a092", "hostname": "docker-fleet-agent", - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "7.16.2" }, "data_stream": { "dataset": "cisco.nexus", @@ -14,30 +14,27 @@ "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "1.12.0" }, "elastic_agent": { - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", - "snapshot": true, - "version": "7.14.0" + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" }, "event": { "agent_id_status": "verified", "code": "pam_aaa", "dataset": "cisco.nexus", - "ingested": "2021-07-19T09:05:28.421638917Z", + "ingested": "2022-01-25T08:47:15Z", "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", "timezone": "+00:00" }, - "host": { - "name": "docker-fleet-agent" - }, "input": { "type": "udp" }, "log": { "source": { - "address": "172.23.0.4:37919" + "address": "172.19.0.4:54372" } }, "observer": { @@ -45,11 +42,6 @@ "type": "Switches", "vendor": "Cisco" }, - "related": { - "hosts": [ - "docker-fleet-agent" - ] - }, "rsa": { "internal": { "messageid": "pam_aaa" diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index be665e2a1f1..20d76f46d54 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -171,7 +171,7 @@ An example event for `asa` looks as following: | cisco.asa.username | | keyword | | cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.port | Port of the client. | long | | client.user.name | Short name or login of the user. | keyword | @@ -195,7 +195,7 @@ An example event for `asa` looks as following: | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | @@ -254,9 +254,9 @@ An example event for `asa` looks as following: | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | | network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | | network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.hostname | Hostname of the observer. | keyword | @@ -274,14 +274,14 @@ An example event for `asa` looks as following: | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.port | Port of the server. | long | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -528,7 +528,7 @@ An example event for `ftd` looks as following: | cisco.ftd.username | | keyword | | cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.port | Port of the client. | long | | client.user.name | Short name or login of the user. | keyword | @@ -552,7 +552,7 @@ An example event for `ftd` looks as following: | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.continent_name | Name of the continent. | keyword | | destination.geo.country_iso_code | Country ISO code. | keyword | @@ -614,16 +614,16 @@ An example event for `ftd` looks as following: | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | | network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | | network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.hostname | Hostname of the observer. | keyword | @@ -642,7 +642,7 @@ An example event for `ftd` looks as following: | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.ip | IP address of the server (IPv4 or IPv6). | ip | | server.port | Port of the server. | long | | service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword | @@ -650,7 +650,7 @@ An example event for `ftd` looks as following: | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.continent_name | Name of the continent. | keyword | | source.geo.country_iso_code | Country ISO code. | keyword | @@ -869,8 +869,8 @@ An example event for `ios` looks as following: | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | | process.program | Process from syslog header. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | @@ -899,14 +899,14 @@ An example event for `nexus` looks as following: ```json { - "@timestamp": "2021-07-19T09:05:27.398Z", + "@timestamp": "2022-01-25T08:47:14.944Z", "agent": { - "ephemeral_id": "9cae1736-608e-4d97-9238-c5acffac7d36", + "ephemeral_id": "091f3442-1209-4033-8434-e8c731c8a092", "hostname": "docker-fleet-agent", - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "7.16.2" }, "data_stream": { "dataset": "cisco.nexus", @@ -914,30 +914,27 @@ An example event for `nexus` looks as following: "type": "logs" }, "ecs": { - "version": "1.10.0" + "version": "1.12.0" }, "elastic_agent": { - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", - "snapshot": true, - "version": "7.14.0" + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" }, "event": { "agent_id_status": "verified", "code": "pam_aaa", "dataset": "cisco.nexus", - "ingested": "2021-07-19T09:05:28.421638917Z", + "ingested": "2022-01-25T08:47:15Z", "original": "2012 Dec 18 14:51:08 Nexus5010-B %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user en from 2.2.2.1 - login\n", "timezone": "+00:00" }, - "host": { - "name": "docker-fleet-agent" - }, "input": { "type": "udp" }, "log": { "source": { - "address": "172.23.0.4:37919" + "address": "172.19.0.4:54372" } }, "observer": { @@ -945,11 +942,6 @@ An example event for `nexus` looks as following: "type": "Switches", "vendor": "Cisco" }, - "related": { - "hosts": [ - "docker-fleet-agent" - ] - }, "rsa": { "internal": { "messageid": "pam_aaa" @@ -971,7 +963,7 @@ An example event for `nexus` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Event timestamp. | date | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -995,7 +987,7 @@ An example event for `nexus` looks as following: | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | @@ -1053,26 +1045,25 @@ An example event for `nexus` looks as following: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | -| log.original | Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.interface.name | | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.product | The product name of the observer. | keyword | @@ -1081,9 +1072,9 @@ An example event for `nexus` looks as following: | observer.version | Observer version. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.pid | Process id. | long | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -1761,7 +1752,7 @@ An example event for `nexus` looks as following: | rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | | rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -1770,7 +1761,7 @@ An example event for `nexus` looks as following: | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | @@ -1806,12 +1797,12 @@ An example event for `meraki` looks as following: { "@timestamp": "2016-01-29T06:09:59.000Z", "agent": { - "ephemeral_id": "9b0d0418-f480-4f0b-8017-4cb9d88c01d7", + "ephemeral_id": "0f004ed2-0b2a-4215-8b24-e652cef37253", "hostname": "docker-fleet-agent", - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.14.0" + "version": "7.16.2" }, "data_stream": { "dataset": "cisco.meraki", @@ -1825,31 +1816,28 @@ An example event for `meraki` looks as following: "port": 5293 }, "ecs": { - "version": "1.10.0" + "version": "1.12.0" }, "elastic_agent": { - "id": "3c803d12-46a2-48a4-a206-8fd3630cc2a9", - "snapshot": true, - "version": "7.14.0" + "id": "0a0be70a-90aa-494d-8be3-b06a8a05e08c", + "snapshot": false, + "version": "7.16.2" }, "event": { "action": "deny\n", "agent_id_status": "verified", "code": "security_event", "dataset": "cisco.meraki", - "ingested": "2021-07-19T09:02:10.469724425Z", + "ingested": "2022-01-25T09:01:37Z", "original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny\n", "timezone": "+00:00" }, - "host": { - "name": "docker-fleet-agent" - }, "input": { "type": "udp" }, "log": { "source": { - "address": "172.23.0.4:44394" + "address": "172.19.0.4:59238" } }, "observer": { @@ -1858,9 +1846,6 @@ An example event for `meraki` looks as following: "vendor": "Cisco" }, "related": { - "hosts": [ - "docker-fleet-agent" - ], "ip": [ "10.193.124.51", "10.15.44.253" @@ -1907,7 +1892,7 @@ An example event for `meraki` looks as following: | Field | Description | Type | |---|---|---| | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | -| client.domain | Client domain. | keyword | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | client.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -1931,7 +1916,7 @@ An example event for `meraki` looks as following: | destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | destination.as.organization.name | Organization name. | keyword | | destination.bytes | Bytes sent from the destination to the source. | long | -| destination.domain | Destination domain. | keyword | +| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | @@ -1989,26 +1974,25 @@ An example event for `meraki` looks as following: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | | log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | -| log.original | Deprecated for removal in next major version release. This field is superseded by `event.original`. This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. | keyword | | log.source.address | Source address from which the log event was read / sent from. | keyword | | log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | | log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | | log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | -| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.interface.name | | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | -| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | observer.egress.interface.name | Interface name as reported by the system. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | | observer.product | The product name of the observer. | keyword | @@ -2017,9 +2001,9 @@ An example event for `meraki` looks as following: | observer.version | Observer version. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.pid | Process id. | long | | process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.pid | Process id. | long | -| process.ppid | Parent process' pid. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -2697,7 +2681,7 @@ An example event for `meraki` looks as following: | rsa.wireless.wlan_name | This key captures either WLAN number/name | keyword | | rsa.wireless.wlan_ssid | This key is used to capture the ssid of a Wireless Session | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | -| server.domain | Server domain. | keyword | +| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | server.registered_domain | The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | @@ -2706,7 +2690,7 @@ An example event for `meraki` looks as following: | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | | source.bytes | Bytes sent from the source to the destination. | long | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.geo.city_name | City name. | keyword | | source.geo.country_name | Country name. | keyword | | source.geo.location | Longitude and latitude. | geo_point | diff --git a/packages/cisco/manifest.yml b/packages/cisco/manifest.yml index 486f9be6ad4..02910190bd2 100644 --- a/packages/cisco/manifest.yml +++ b/packages/cisco/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cisco title: Cisco -version: 0.12.5 +version: 0.13.0 license: basic description: Deprecated. Use a specific Cisco package instead. type: integration