From be585ddd136d1a27b2614b5b4bc3a1ac26165ac9 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Fri, 11 Feb 2022 16:24:57 -0500 Subject: [PATCH] mimecast - Add 8.0.0 compatibility Add 8.0.0 Elastic stack compatibility, fix the Github team name in manifest, and remove the redundant `event.ingested` from pipelines. Closes #2679 --- packages/mimecast/changelog.yml | 5 + .../test-audit-events.log-expected.json | 1355 ++++++++--------- .../_dev/test/pipeline/test-common-config.yml | 2 - .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../pipeline/test-dlp-logs.log-expected.json | 230 ++- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../pipeline/test-siem-logs.log-expected.json | 307 ++-- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - ...t-intel-malware-customer.log-expected.json | 287 ++-- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - ...hreat-intel-malware-grid.log-expected.json | 287 ++-- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../test-ttp-ap-logs.log-expected.json | 167 +- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../test-ttp-ip-logs.log-expected.json | 151 +- .../elasticsearch/ingest_pipeline/default.yml | 3 - .../_dev/test/pipeline/test-common-config.yml | 2 - .../test-ttp-url-logs.log-expected.json | 201 ++- .../elasticsearch/ingest_pipeline/default.yml | 3 - packages/mimecast/manifest.yml | 6 +- 26 files changed, 1468 insertions(+), 1568 deletions(-) diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 6f5a62d3c11..eb9183e9982 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.0.5" + changes: + - description: Add 8.0.0 compatibility, fix team name in manifest, and remove redundant `event.ingested` from pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/2683 - version: "0.0.4" changes: - description: Regenerate test files using the new GeoIP database diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 0e873498751..ccfa7cfc7f8 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -2,524 +2,514 @@ "expected": [ { "@timestamp": "2021-10-18T08:45:02.000Z", - "file": { - "name": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip", - "extension": "zip" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-14T14:48:19.342442297Z", - "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}", + "created": "2021-10-18T08:45:02.000Z", "id": "eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48", - "created": "2021-10-18T08:45:02.000Z" + "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Integrations", "category": "reporting_logs", "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations" - } - }, - { - "@timestamp": "2021-10-10T22:51:57.000Z", - "file": { - "name": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip", - "extension": "zip" - }, - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-10T22:51:57.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-14T14:48:19.342444278Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}", + "created": "2021-10-10T22:51:57.000Z", "id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70", - "created": "2021-10-10T22:51:57.000Z" + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example", - "domain": "example" + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Azure Sentinel", "category": "reporting_logs", "eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel" - } - }, - { - "@timestamp": "2021-10-11T17:17:30.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example", + "email": "johndoe@example", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T17:17:30.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "user-logged-on", - "ingested": "2021-12-14T14:48:19.342444686Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}", + "created": "2021-10-11T07:17:30.000Z", "id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A", - "created": "2021-10-11T07:17:30.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console, Method: Two Step Auth, 2FA: TOTP", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP" - } - }, - { - "@timestamp": "2021-10-11T17:17:26.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T17:17:26.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "logon-requires-challenge", - "ingested": "2021-12-14T14:48:19.342445056Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}", + "created": "2021-10-11T07:17:26.000Z", "id": "eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60", - "created": "2021-10-11T07:17:26.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console, Method: Office 365, 2FA: TOTP", "category": "authentication_logs", "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP" - } - }, - { - "@timestamp": "2021-10-11T16:03:38.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T16:03:38.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "user-logged-on", - "ingested": "2021-12-14T14:48:19.342445417Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}", + "created": "2021-10-11T06:03:38.000Z", "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", - "created": "2021-10-11T06:03:38.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console, Method: Cloud", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud" - } - }, - { - "@timestamp": "2021-10-11T15:39:17.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johdoe", - "johdoe@example.local" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T15:39:17.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-14T14:48:19.342445779Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}", + "created": "2021-10-11T16:39:17.000Z", "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", - "created": "2021-10-11T16:39:17.000Z" - }, - "user": { - "name": "johdoe", - "email": "johdoe@example.local", - "domain": "example.local" + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-19T11:46:40.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johdoe", "johdoe@example.local" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johdoe@example.local", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-19T11:46:40.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-14T14:48:19.342446134Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}", + "created": "2021-10-19T12:46:40.000Z", "id": "eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK", - "created": "2021-10-19T12:46:40.000Z" - }, - "user": { - "name": "johdoe", - "email": "johdoe@example.local", - "domain": "example.local" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-11T15:36:01.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johdoe", + "johdoe@example.local" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johdoe@example.local", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-11T15:36:01.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, - "event": { - "action": "message-action", - "ingested": "2021-12-14T14:48:19.342446500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", - "created": "2021-10-11T15:36:01.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "ecs": { + "version": "1.12.0" }, "email": { - "origination_timestamp": "2021-09-28 07:59:23+0000", "from": { "address": "johndoe@example.com" }, + "origination_timestamp": "2021-09-28 07:59:23+0000", + "subject": "Test on Tues 28th Sept", "to": { "address": "johndoe@example.com" - }, - "subject": "Test on Tues 28th Sept" + } + }, + "event": { + "action": "message-action", + "created": "2021-10-11T15:36:01.000Z", + "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "name": {}, - "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", "application": "mimecast-case-review", - "category": "case_review_logs" - } - }, - { - "@timestamp": "2021-10-11T15:35:53.000Z", - "ecs": { - "version": "1.12.0" + "category": "case_review_logs", + "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", + "name": {} }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T15:35:53.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "search-action", - "ingested": "2021-12-14T14:48:19.342446860Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-11T15:35:53.000Z", "id": "eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw", - "created": "2021-10-11T15:35:53.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-11T14:46:10.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T14:46:10.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "logon-authentication-failed", - "ingested": "2021-12-14T14:48:19.342447313Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M" + "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS", "application": "LFS", "category": "authentication_logs", "email": { - "metadata": "accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}", - "address": "com.example.sdk.address.Address@4a3bcd11" - } + "address": "com.example.sdk.address.Address@4a3bcd11", + "metadata": "accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}" + }, + "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } }, { @@ -527,379 +517,371 @@ "ecs": { "version": "1.12.0" }, + "event": { + "action": "completed-directory-sync", + "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}" + }, + "mimecast": { + "category": "account_logs", + "eventInfo": "No changes found." + }, "related": { "user": [ "" ] }, - "event": { - "action": "completed-directory-sync", - "ingested": "2021-12-14T14:48:19.342447674Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys" - }, - "user": { - "email": "" - }, "tags": [ "preserve_original_event" ], - "mimecast": { - "category": "account_logs", - "eventInfo": "No changes found." + "user": { + "email": "" } }, { "@timestamp": "2021-10-12T09:19:53.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "case-action", - "ingested": "2021-12-14T14:48:19.342448171Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-12T09:19:53.000Z", "id": "eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo", - "created": "2021-10-12T09:19:53.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-12T08:47:55.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { - "reason": "Reason: Wrong password", "action": "logon-authentication-failed", - "ingested": "2021-12-14T14:48:19.342448528Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", + "created": "2021-10-11T22:47:55.000Z", "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", - "created": "2021-10-11T22:47:55.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", + "reason": "Reason: Wrong password" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-moa", "category": "authentication_logs", "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password" - } - }, - { - "@timestamp": "2021-10-12T08:47:54.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johdoe", - "johdoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:54.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "existing-archive-task-changed", - "ingested": "2021-12-14T14:48:19.342448913Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T08:47:54.000Z", "id": "eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w", - "created": "2021-10-12T08:47:54.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "user": { - "name": "johdoe", - "email": "johdoe@example.com", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T08:47:53.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johdoe", + "johdoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johdoe@example.com", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:53.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "connectors-management", - "ingested": "2021-12-14T14:48:19.342449302Z", - "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}", + "created": "2021-10-12T08:47:53.000Z", "id": "eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM", - "created": "2021-10-12T08:47:53.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "integrations_and_apis", "eventInfo": "Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T02:27:18.000Z", - "file": { - "size": 6864, - "name": "export_at_watchlist_view_1634005638160.xlsx", - "extension": ".xlsx" - }, - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johdoe", - "johdoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T02:27:18.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "page-data-exports", - "ingested": "2021-12-14T14:48:19.342449695Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", + "created": "2021-10-12T02:27:18.000Z", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", - "created": "2021-10-12T02:27:18.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}" }, - "user": { - "name": "johdoe", - "email": "johdoe@example.com", - "domain": "example.com" + "file": { + "extension": ".xlsx", + "name": "export_at_watchlist_view_1634005638160.xlsx", + "size": 6864 }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-matfe", "category": "account_logs", "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" - } - }, - { - "@timestamp": "2021-10-11T19:53:41.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.local" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johdoe", + "johdoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johdoe@example.com", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-11T19:53:41.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "custom-report-definition-created", - "ingested": "2021-12-14T14:48:19.342450168Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}", + "created": "2021-10-11T20:53:41.000Z", "id": "eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF", - "created": "2021-10-11T20:53:41.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.local", - "domain": "example.local" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "reporting_logs", "eventInfo": "Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-11T18:23:10.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "John Doe" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.local" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johndoe@example.local", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T18:23:10.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "folder-log-entry", - "ingested": "2021-12-14T14:48:19.342450570Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}", + "created": "2021-10-11T19:23:10.000Z", "id": "eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh", - "created": "2021-10-11T19:23:10.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}" }, - "user": { - "email": "John Doe" + "mimecast": { + "application": "Administration Console", + "category": "profile_group_logs", + "eventInfo": "Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "John Doe" + ] }, "tags": [ "preserve_original_event" ], - "mimecast": { - "application": "Administration Console", - "category": "profile_group_logs", - "eventInfo": "Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console" + "user": { + "email": "John Doe" } }, { @@ -907,331 +889,324 @@ "ecs": { "version": "1.12.0" }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ] - }, "event": { "action": "user-password-changed", - "ingested": "2021-12-14T14:48:19.342450983Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "category": "user_account_and_role_logs", "eventInfo": "Password reset for user: johndoe@example.com User Password Changed, Remote IP is null" - } - }, - { - "@timestamp": "2021-10-12T19:49:30.000Z", - "ecs": { - "version": "1.12.0" }, "related": { "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T19:49:30.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-14T14:48:19.342451340Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "created": "2021-10-12T19:49:30.000Z", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", - "type": "type : manual", - "created": "2021-10-12T19:49:30.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "type": "type : manual" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "account_logs", "eventInfo": "Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T19:20:01.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T19:20:01.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-14T14:48:19.342451694Z", - "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T19:20:01.000Z", "id": "eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw", - "created": "2021-10-12T19:20:01.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T18:19:33.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoejr", - "johndoejr@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T18:19:33.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-14T14:48:19.342452056Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T18:19:33.000Z", "id": "eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84", - "created": "2021-10-12T18:19:33.000Z" - }, - "user": { - "name": "johndoejr", - "email": "johndoejr@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T17:55:14.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoejr", + "johndoejr@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoejr@example.com", + "name": "johndoejr" + } + }, + { + "@timestamp": "2021-10-12T17:55:14.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "archive-mailbox-export-download", - "ingested": "2021-12-14T14:48:19.342452408Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T17:55:14.000Z", "id": "eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0", - "created": "2021-10-12T17:55:14.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T17:07:00.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T17:07:00.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "review-set-action", - "ingested": "2021-12-14T14:48:19.342452886Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-12T17:07:00.000Z", "id": "eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul", - "created": "2021-10-12T17:07:00.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-12T15:38:05.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T15:38:05.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "1.12.0" + }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-14T14:48:19.342453242Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "created": "2021-10-12T15:38:05.000Z", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", - "type": "type : restore", - "created": "2021-10-12T15:38:05.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "type": "type : restore" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "account_logs", "eventInfo": "Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } } ] diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index f75b58aca00..660c0ee91a3 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # # Generic event/ecs fields we always want to populate - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index ff154d67416..9b4d7b4b982 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -5,25 +5,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:20.988315125Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:25+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "hold", + "created": "2021-10-15T20:41:25+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -34,25 +33,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "notification", - "ingested": "2021-12-14T14:48:20.988317655Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:25+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "notification", + "created": "2021-10-15T20:41:25+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:25+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204122.2CA6DFCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -63,25 +61,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:20.988318132Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:22+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "hold", + "created": "2021-10-15T20:41:22+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -92,25 +89,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "notification", - "ingested": "2021-12-14T14:48:20.988318486Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:22+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "notification", + "created": "2021-10-15T20:41:22+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:22+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204119.F16C2FCC60@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -121,25 +117,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "notification", - "ingested": "2021-12-14T14:48:20.988318849Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:21+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "notification", + "created": "2021-10-15T20:41:21+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -150,25 +145,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:20.988319259Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:21+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "hold", + "created": "2021-10-15T20:41:21+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:21+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204118.05EA6FCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -179,25 +173,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "notification", - "ingested": "2021-12-14T14:48:20.988319668Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:19+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "notification", + "created": "2021-10-15T20:41:19+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -208,25 +201,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:20.988320038Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:19+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "hold", + "created": "2021-10-15T20:41:19+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:19+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204116.6A8CFFCC60@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -237,25 +229,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:20.988320398Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:17+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "hold", + "created": "2021-10-15T20:41:17+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"hold\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" @@ -266,25 +257,24 @@ "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Content Inspection - Watermark" - }, - "event": { - "action": "notification", - "ingested": "2021-12-14T14:48:20.988320761Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}", - "created": "2021-10-15T20:41:17+0000" - }, "email": { + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e", + "subject": "Undelivered Mail Returned to Sender", "to": { "address": "johndoe@example.com" - }, - "subject": "Undelivered Mail Returned to Sender", - "direction": "inbound" + } + }, + "event": { + "action": "notification", + "created": "2021-10-15T20:41:17+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Undelivered Mail Returned to Sender\",\"eventTime\":\"2021-10-15T20:41:17+0000\",\"route\":\"inbound\",\"policy\":\"Content Inspection - Watermark\",\"action\":\"notification\",\"messageId\":\"\u003c20211015204114.8AE40FCAE2@mail.emailsec.ninja\u003e\"}" + }, + "rule": { + "name": "Content Inspection - Watermark" }, "tags": [ "preserve_original_event" diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index 38695f2a016..c8b887e596e 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # Generic event/ecs fields we always want to populated - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index e5aafa1d00b..2495457b799 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -5,89 +5,87 @@ "ecs": { "version": "1.12.0" }, - "event": { - "reason": "Spm", - "action": "Hld", - "ingested": "2021-12-14T14:48:21.314971609Z", - "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", - "created": "2021-10-18T09:02:43+0100", - "outcome": "unknown" - }, "email": { - "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", - "from": { - "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" - }, "attachments": { "file": { "size": 0 } }, + "from": { + "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" + }, "local_id": "HhuwRf_AOcuJZINE2ZgcKw", - "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!", - "message_size": 157436 + "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", + "message_size": 157436, + "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!" + }, + "event": { + "action": "Hld", + "created": "2021-10-18T09:02:43+0100", + "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", + "outcome": "unknown", + "reason": "Spm" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "AttCnt": 0, "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "process" + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2021-10-19T06:06:40.000Z", "ecs": { "version": "1.12.0" }, - "rule": { - "name": "Office365" - }, - "tls": { - "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "established": true, - "version": "TLSv1.2" - }, - "source": { - "ip": "67.43.156.15" - }, - "event": { - "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]", - "ingested": "2021-12-14T14:48:21.314974253Z", - "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"\u003c\u003e\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", - "created": "2021-10-19T07:06:40+0100", - "outcome": "failure" - }, - "error": { - "type": "Recipient email address is possibly incorrect", - "code": "550" - }, "email": { - "from": { - "address": "\u003c\u003e" - }, "attachments": { "file": { "size": 0 } }, - "to": { - "address": "johndoe@example.com" + "direction": "Inbound", + "from": { + "address": "\u003c\u003e" }, "local_id": "29be076e-44cd-354d-a7c2-083d4a312371", - "direction": "Inbound" + "to": { + "address": "johndoe@example.com" + } + }, + "error": { + "code": "550", + "type": "Recipient email address is possibly incorrect" + }, + "event": { + "created": "2021-10-19T07:06:40+0100", + "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"\u003c\u003e\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "outcome": "failure", + "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "acc": "ABC123", - "Snt": 125, - "log_type": "delivery", "AttCnt": 0, "Attempt": 1, - "Latency": 505 + "Latency": 505, + "Snt": 125, + "acc": "ABC123", + "log_type": "delivery" + }, + "rule": { + "name": "Office365" + }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "established": true, + "version": "TLSv1.2" } }, { @@ -95,80 +93,78 @@ "ecs": { "version": "1.12.0" }, - "event": { - "action": "Acc", - "ingested": "2021-12-14T14:48:21.314974698Z", - "original": "{\"acc\":\"ABC123\",\"Sender\":\"postmaster@twotoeight.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Act\":\"Acc\",\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"AttCnt\":0,\"AttNames\":null,\"MsgSize\":49025,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\"}", - "created": "2021-10-19T07:04:55+0100", - "outcome": "unknown" - }, "email": { - "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", - "from": { - "address": "postmaster@twotoeight.com" - }, "attachments": { "file": { "size": 0 } }, + "from": { + "address": "postmaster@twotoeight.com" + }, "local_id": "61dfe7da-4c6d-34e1-9667-69b04f0d564f", - "subject": "You have new held messages", - "message_size": 49025 + "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", + "message_size": 49025, + "subject": "You have new held messages" + }, + "event": { + "action": "Acc", + "created": "2021-10-19T07:04:55+0100", + "original": "{\"acc\":\"ABC123\",\"Sender\":\"postmaster@twotoeight.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Act\":\"Acc\",\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"AttCnt\":0,\"AttNames\":null,\"MsgSize\":49025,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\"}", + "outcome": "unknown" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "AttCnt": 0, "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "process" + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2021-10-19T06:04:55.000Z", "ecs": { "version": "1.12.0" }, - "tls": { - "established": false - }, - "source": { - "ip": "67.43.156.15" - }, - "event": { - "ingested": "2021-12-14T14:48:21.314975133Z", - "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", - "created": "2021-10-19T07:04:55+0100", - "outcome": "success" - }, "email": { - "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", - "from": { - "address": "johndoe@example.com" - }, "attachments": { "file": { "size": 0 } }, - "to": { - "address": "johndoejr@example.com" + "direction": "Internal", + "from": { + "address": "johndoe@example.com" }, "local_id": "61dfe7da-4c6d-34e1-9667-69b04f0d564f", - "direction": "Internal" + "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", + "to": { + "address": "johndoejr@example.com" + } + }, + "event": { + "created": "2021-10-19T07:04:55+0100", + "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "outcome": "success" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "acc": "ABC123", - "log_type": "delivery", - "Attempt": 1, - "Snt": 51666, "AttCnt": 0, + "Attempt": 1, + "Latency": 1090, "ReceiptAck": "250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]", - "Latency": 1090 + "Snt": 51666, + "acc": "ABC123", + "log_type": "delivery" + }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false } }, { @@ -176,105 +172,102 @@ "ecs": { "version": "1.12.0" }, - "event": { - "ingested": "2021-12-14T14:48:21.314975525Z", - "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:09:18+0000\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"aCode\":\"CYSuuaBUMjOpk3k1Xhvy_Q\",\"Dir\":\"Internal\",\"RcptHdrType\":\"Unknown\", \"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\"}", - "created": "2021-11-08T12:09:18+0000", - "outcome": "unknown" - }, "email": { + "direction": "Internal", "from": { "address": "johndoe@example.com" }, + "local_id": "CYSuuaBUMjOpk3k1Xhvy_Q", "to": { "address": "o365_service_account@example.com" - }, - "local_id": "CYSuuaBUMjOpk3k1Xhvy_Q", - "direction": "Internal" + } + }, + "event": { + "created": "2021-11-08T12:09:18+0000", + "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:09:18+0000\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"aCode\":\"CYSuuaBUMjOpk3k1Xhvy_Q\",\"Dir\":\"Internal\",\"RcptHdrType\":\"Unknown\", \"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\"}", + "outcome": "unknown" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "acc": "C46A75", - "log_type": "jrnl", "RcptActType": "Jnl", - "RcptHdrType": "Unknown" - } + "RcptHdrType": "Unknown", + "acc": "C46A75", + "log_type": "jrnl" + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2021-11-08T12:10:19.000Z", "ecs": { "version": "1.12.0" }, - "source": { - "ip": "81.2.69.193" - }, - "event": { - "action": "Acc", - "ingested": "2021-12-14T14:48:21.314975905Z", - "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"81.2.69.193\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", - "created": "2021-11-08T12:10:19+0000", - "outcome": "unknown" - }, "email": { - "header_from": "johndoe@example.com", - "local_id": "3dbe9918-f91f-3043-b61f-d3164badfe50", - "subject": "You have new held messages", - "message_id": "\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e", + "direction": "Internal", "from": { "address": "johndoe@example.com" }, + "header_from": "johndoe@example.com", + "local_id": "3dbe9918-f91f-3043-b61f-d3164badfe50", + "message_id": "\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e", + "subject": "You have new held messages", "to": { "address": "johndoejr@example.com" - }, - "direction": "Internal" + } + }, + "event": { + "action": "Acc", + "created": "2021-11-08T12:10:19+0000", + "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"81.2.69.193\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", + "outcome": "unknown" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "acc": "C46A75", "log_type": "receipt" - } + }, + "source": { + "ip": "81.2.69.193" + }, + "tags": [ + "preserve_original_event" + ] }, { "@timestamp": "2021-11-29T15:13:58.000Z", "ecs": { "version": "1.12.0" }, - "source": { - "domain": "zenz.us", - "ip": "81.2.69.193" - }, - "event": { - "reason": "malicious", - "action": "Block", - "ingested": "2021-12-14T14:48:21.314976283Z", - "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"81.2.69.193\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", - "created": "2021-11-29T15:13:58+0000", - "outcome": "unknown" - }, "email": { + "direction": "inbound", "from": { "address": "docusign-services@zenz.us" }, + "subject": "DocuSign- Contract #45576744333", "to": { "address": "aorchard@twotoeight.com" - }, - "subject": "DocuSign- Contract #45576744333", - "direction": "inbound" + } }, - "url": { - "full": "http://docusign.swrodgods.x10.mx/Docun/Docu/index2.php" + "event": { + "action": "Block", + "created": "2021-11-29T15:13:58+0000", + "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"81.2.69.193\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", + "outcome": "unknown", + "reason": "malicious" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "acc": "C46A75", "log_type": "ttp_url", "urlCategory": "Phishing \u0026 Fraud" + }, + "source": { + "domain": "zenz.us", + "ip": "81.2.69.193" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "full": "http://docusign.swrodgods.x10.mx/Docun/Docu/index2.php" } } ] diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index becdf773e8f..88766e31edc 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # Generic event/ecs fields we always want to populated - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json index a19f6c5a3b2..6340ded082e 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json @@ -6,42 +6,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", + "type": "indicator" + }, "related": { "hash": [ "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" } }, + "first_seen": "2021-10-29T15:07:26.653Z", "modified_at": "2021-10-29T15:07:26.653Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740195622Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_customer", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -51,42 +50,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']", + "type": "indicator" + }, "related": { "hash": [ "6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:22.595Z", "file": { "hash": { "sha256": "6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb" } }, + "first_seen": "2021-10-29T15:07:22.595Z", "modified_at": "2021-10-29T15:07:22.595Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740196813Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']", - "log_type": "malware_customer", - "id": "indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -96,42 +94,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']", + "type": "indicator" + }, "related": { "hash": [ "8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:17.538Z", "file": { "hash": { "sha256": "8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668" } }, + "first_seen": "2021-10-29T15:07:17.538Z", "modified_at": "2021-10-29T15:07:17.538Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740197902Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']", - "log_type": "malware_customer", - "id": "indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -141,42 +138,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']", + "type": "indicator" + }, "related": { "hash": [ "df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:14.044Z", "file": { "hash": { "sha256": "df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047" } }, + "first_seen": "2021-10-29T15:07:14.044Z", "modified_at": "2021-10-29T15:07:14.044Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740198966Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']", - "log_type": "malware_customer", - "id": "indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -186,42 +182,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']", + "type": "indicator" + }, "related": { "hash": [ "5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:07.295Z", "file": { "hash": { "sha256": "5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283" } }, + "first_seen": "2021-10-29T15:07:07.295Z", "modified_at": "2021-10-29T15:07:07.295Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740200222Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']", - "log_type": "malware_customer", - "id": "indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -231,42 +226,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']", + "type": "indicator" + }, "related": { "hash": [ "bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:00.555Z", "file": { "hash": { "sha256": "bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c" } }, + "first_seen": "2021-10-29T15:07:00.555Z", "modified_at": "2021-10-29T15:07:00.555Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740201418Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']", - "log_type": "malware_customer", - "id": "indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -276,42 +270,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--3816deef-ba8f-40c4-ba11-a862b4322b11", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_customer", + "pattern": "[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']", + "type": "indicator" + }, "related": { "hash": [ "e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:00.259Z", "file": { "hash": { "sha256": "e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd" } }, + "first_seen": "2021-10-29T15:07:00.259Z", "modified_at": "2021-10-29T15:07:00.259Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:21.740202489Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']", - "log_type": "malware_customer", - "id": "indicator--3816deef-ba8f-40c4-ba11-a862b4322b11", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml index 218edaf06a9..6ad7bbc4bd5 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml @@ -4,9 +4,6 @@ processors: #################### # Event ECS fields # #################### - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - set: field: ecs.version value: "1.12" diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json index eec0f0f1123..ca72d64d8f6 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json @@ -6,42 +6,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", + "type": "indicator" + }, "related": { "hash": [ "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" } }, + "first_seen": "2021-10-29T15:07:26.653Z", "modified_at": "2021-10-29T15:07:26.653Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310868961Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_grid", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -51,42 +50,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']", + "type": "indicator" + }, "related": { "hash": [ "6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:22.595Z", "file": { "hash": { "sha256": "6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb" } }, + "first_seen": "2021-10-29T15:07:22.595Z", "modified_at": "2021-10-29T15:07:22.595Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310870239Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3\", \"created\": \"2021-10-29T15:07:22.595Z\", \"modified\": \"2021-10-29T15:07:22.595Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']\", \"valid_from\": \"2021-10-29T15:07:22.595Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '6a6cd489550ddc08871e14dec73f782bf2405378e9f4adeaa61f1574bea4dbbb']", - "log_type": "malware_grid", - "id": "indicator--d70d0fc0-7fbe-4acc-9830-230a97ecdab3", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -96,42 +94,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']", + "type": "indicator" + }, "related": { "hash": [ "8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:17.538Z", "file": { "hash": { "sha256": "8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668" } }, + "first_seen": "2021-10-29T15:07:17.538Z", "modified_at": "2021-10-29T15:07:17.538Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310871493Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976\", \"created\": \"2021-10-29T15:07:17.538Z\", \"modified\": \"2021-10-29T15:07:17.538Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']\", \"valid_from\": \"2021-10-29T15:07:17.538Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '8042d56337b7e7be79688ca861b3c4ba928f95b0824f598ca79e63882dea0668']", - "log_type": "malware_grid", - "id": "indicator--571f0b0a-7206-4a1f-9c5d-9c04e46e0976", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -141,42 +138,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']", + "type": "indicator" + }, "related": { "hash": [ "df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:14.044Z", "file": { "hash": { "sha256": "df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047" } }, + "first_seen": "2021-10-29T15:07:14.044Z", "modified_at": "2021-10-29T15:07:14.044Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310872732Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c\", \"created\": \"2021-10-29T15:07:14.044Z\", \"modified\": \"2021-10-29T15:07:14.044Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']\", \"valid_from\": \"2021-10-29T15:07:14.044Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'df086e1fe742f0992ecd2aec8a3a4b5be6023cca5ef8caf1da3d5b67e9359047']", - "log_type": "malware_grid", - "id": "indicator--90b29bf9-ea1a-423b-8542-4c4590f4038c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -186,42 +182,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']", + "type": "indicator" + }, "related": { "hash": [ "5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:07.295Z", "file": { "hash": { "sha256": "5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283" } }, + "first_seen": "2021-10-29T15:07:07.295Z", "modified_at": "2021-10-29T15:07:07.295Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310874075Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505\", \"created\": \"2021-10-29T15:07:07.295Z\", \"modified\": \"2021-10-29T15:07:07.295Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']\", \"valid_from\": \"2021-10-29T15:07:07.295Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = '5dbdcba2a373949359459e0e94954896bc06565d745dd36ee2b013dee1dcc283']", - "log_type": "malware_grid", - "id": "indicator--a84c0ac6-f99e-4d1e-b552-74e9023d1505", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -231,42 +226,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']", + "type": "indicator" + }, "related": { "hash": [ "bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:00.555Z", "file": { "hash": { "sha256": "bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c" } }, + "first_seen": "2021-10-29T15:07:00.555Z", "modified_at": "2021-10-29T15:07:00.555Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310875429Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0\", \"created\": \"2021-10-29T15:07:00.555Z\", \"modified\": \"2021-10-29T15:07:00.555Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']\", \"valid_from\": \"2021-10-29T15:07:00.555Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'bcb910f6ab3144c97ca15845741c94479a8925f545ddf59e74253f50d862d10c']", - "log_type": "malware_grid", - "id": "indicator--1fe76455-3ec3-4319-a34c-e4e8e8236ec0", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null, @@ -276,42 +270,41 @@ "ecs": { "version": "1.12" }, + "event": { + "category": "threat", + "kind": "enrichment", + "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", + "type": "indicator" + }, + "mimecast": { + "id": "indicator--3816deef-ba8f-40c4-ba11-a862b4322b11", + "labels": [ + "malicious-activity" + ], + "log_type": "malware_grid", + "pattern": "[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']", + "type": "indicator" + }, "related": { "hash": [ "e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd" ] }, + "tags": [ + "preserve_original_event", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:00.259Z", "file": { "hash": { "sha256": "e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd" } }, + "first_seen": "2021-10-29T15:07:00.259Z", "modified_at": "2021-10-29T15:07:00.259Z", "type": "file" } - }, - "event": { - "ingested": "2021-12-14T14:48:22.310876598Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--3816deef-ba8f-40c4-ba11-a862b4322b11\", \"created\": \"2021-10-29T15:07:00.259Z\", \"modified\": \"2021-10-29T15:07:00.259Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']\", \"valid_from\": \"2021-10-29T15:07:00.259Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'e87c5de5f07b36806521334cd25e756b66aa8376d2d52faf269b1878c62cf3dd']", - "log_type": "malware_grid", - "id": "indicator--3816deef-ba8f-40c4-ba11-a862b4322b11", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } }, null diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml index fb7097bb438..16d618c6c19 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml @@ -4,9 +4,6 @@ processors: #################### # Event ECS fields # #################### - - set: - field: event.ingested - value: "{{_ingest.timestamp}}" - set: field: ecs.version value: "1.12" diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index e3ecd05da78..c6171bc1b99 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -5,6 +5,34 @@ "ecs": { "version": "1.12.0" }, + "email": { + "attachments": { + "file": { + "extension": "pdf", + "mime_type": "application/pdf", + "name": "numbers.pdf" + }, + "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + }, + "direction": "inbound", + "from": { + "address": "\u003c\u003e" + }, + "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", + "subject": "Important Updated Numbers from the Center for Disease Control", + "to": { + "address": "johndoe@example.com" + } + }, + "event": { + "action": "user_release_none", + "created": "2021-10-14T18:54:32+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}" + }, + "mimecast": { + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec", + "result": "safe" + }, "related": { "hash": [ "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" @@ -13,43 +41,42 @@ "rule": { "name": "Inbound - Safe file with On-Demand Sandbox" }, - "event": { - "action": "user_release_none", - "ingested": "2021-12-14T14:48:22.845496090Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T18:54:32+0000" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-10-14T11:24:23.000Z", + "ecs": { + "version": "1.12.0" }, "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", "attachments": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", "file": { - "name": "numbers.pdf", - "mime_type": "application/pdf", - "extension": "pdf" - } + "extension": "docx", + "mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "name": "Titus-Test Doc - Classification - InternalUseOnly.docx" + }, + "hash": "2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e" + }, + "direction": "inbound", + "from": { + "address": "\u003c\u003e" }, + "message_id": "\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e", + "subject": "FW: Titus classification work", "to": { "address": "johndoe@example.com" - }, - "subject": "Important Updated Numbers from the Center for Disease Control", - "direction": "inbound" + } + }, + "event": { + "action": "user_release_none", + "created": "2021-10-14T11:24:23+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus-Test Doc - Classification - InternalUseOnly.docx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" - } - }, - { - "@timestamp": "2021-10-14T11:24:23.000Z", - "ecs": { - "version": "1.12.0" + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec", + "result": "safe" }, "related": { "hash": [ @@ -59,43 +86,42 @@ "rule": { "name": "Inbound - Safe file with On-Demand Sandbox" }, - "event": { - "action": "user_release_none", - "ingested": "2021-12-14T14:48:22.845498572Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus-Test Doc - Classification - InternalUseOnly.docx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T11:24:23+0000" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-10-14T11:24:23.000Z", + "ecs": { + "version": "1.12.0" }, "email": { + "attachments": { + "file": { + "extension": "pptx", + "mime_type": "application/vnd.openxmlformats-officedocument.presentationml", + "name": "Titus classification v0.3.pptx" + }, + "hash": "111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973" + }, + "direction": "inbound", "from": { "address": "\u003c\u003e" }, "message_id": "\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e", - "attachments": { - "hash": "2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e", - "file": { - "name": "Titus-Test Doc - Classification - InternalUseOnly.docx", - "mime_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", - "extension": "docx" - } - }, + "subject": "FW: Titus classification work", "to": { "address": "johndoe@example.com" - }, - "subject": "FW: Titus classification work", - "direction": "inbound" + } + }, + "event": { + "action": "user_release_none", + "created": "2021-10-14T11:24:23+0000", + "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus classification v0.3.pptx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.presentationml\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec" - } - }, - { - "@timestamp": "2021-10-14T11:24:23.000Z", - "ecs": { - "version": "1.12.0" + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec", + "result": "safe" }, "related": { "hash": [ @@ -105,38 +131,9 @@ "rule": { "name": "Inbound - Safe file with On-Demand Sandbox" }, - "event": { - "action": "user_release_none", - "ingested": "2021-12-14T14:48:22.845499051Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"Titus classification v0.3.pptx\",\"fileType\":\"application\\/vnd.openxmlformats-officedocument.presentationml\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T11:24:23+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 5 sec\",\"route\":\"inbound\",\"messageId\":\"\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e\",\"subject\":\"FW: Titus classification work\",\"fileHash\":\"111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T11:24:23+0000" - }, - "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e", - "attachments": { - "hash": "111b86e1244ce6389efb60cddc001d594d334c540e85f9976be467a4ce472973", - "file": { - "name": "Titus classification v0.3.pptx", - "mime_type": "application/vnd.openxmlformats-officedocument.presentationml", - "extension": "pptx" - } - }, - "to": { - "address": "johndoe@example.com" - }, - "subject": "FW: Titus classification work", - "direction": "inbound" - }, "tags": [ "preserve_original_event" - ], - "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec" - } + ] } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index 4a1650557c1..cc55251a5f6 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # Generic event/ecs fields we always want to populated - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index cd58b61e693..b936d1f469c 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -5,58 +5,37 @@ "ecs": { "version": "1.12.0" }, - "related": { - "ip": [ - "67.43.156.15" - ] - }, - "rule": { - "name": "IP - 1 hit (Tag email)" - }, - "source": { - "ip": "67.43.156.15" - }, - "event": { - "action": "none", - "ingested": "2021-12-14T14:48:23.039517642Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", - "created": "2021-10-15T17:10:46+0000" - }, "email": { "from": { "address": "smtp@example.com" }, "message_id": "\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e", + "subject": "Requested File", "to": { "address": "johndoe@example.com" - }, - "subject": "Requested File" + } + }, + "event": { + "action": "none", + "created": "2021-10-15T17:10:46+0000", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe Jr", - "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e" + "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e", + "stringSimilarToDomain": "John Doe Jr" } ], - "taggedMalicious": true, "taggedExternal": false, - "identifiers": [ - "internal_user_name" - ] - } - }, - { - "@timestamp": "2021-10-15T06:16:34.000Z", - "ecs": { - "version": "1.12.0" + "taggedMalicious": true }, "related": { "ip": [ @@ -69,47 +48,46 @@ "source": { "ip": "67.43.156.15" }, - "event": { - "action": "none", - "ingested": "2021-12-14T14:48:23.039520180Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \u003cjohndoe@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs", - "created": "2021-10-15T06:16:34+0000" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-10-15T06:16:34.000Z", + "ecs": { + "version": "1.12.0" }, "email": { "from": { "address": "johndoe@gmail.com" }, "message_id": "\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e", + "subject": "Fwd: Here ya go", "to": { "address": "johndoe@example.com" - }, - "subject": "Fwd: Here ya go" + } + }, + "event": { + "action": "none", + "created": "2021-10-15T06:16:34+0000", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \u003cjohndoe@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cCAOsCE-eP_fM6j=OL7Mwufic_s8t8VgNaCWdWM+sHYvWAFxiDig@mail.gmail.com\u003e\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe", - "similarDomain": "John Doe \u003cjohndoe@example.com\u003e" + "similarDomain": "John Doe \u003cjohndoe@example.com\u003e", + "stringSimilarToDomain": "John Doe" } ], - "taggedMalicious": true, "taggedExternal": false, - "identifiers": [ - "internal_user_name" - ] - } - }, - { - "@timestamp": "2021-10-13T16:12:07.000Z", - "ecs": { - "version": "1.12.0" + "taggedMalicious": true }, "related": { "ip": [ @@ -117,52 +95,71 @@ ] }, "rule": { - "name": "IP - 2 hits (Hold for Review / User Hold)" + "name": "IP - 1 hit (Tag email)" }, "source": { "ip": "67.43.156.15" }, - "event": { - "action": "hold", - "ingested": "2021-12-14T14:48:23.039520641Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \u003cemilydoe@example.com\u003e\",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc", - "created": "2021-10-13T16:12:07+0000" + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2021-10-13T16:12:07.000Z", + "ecs": { + "version": "1.12.0" }, "email": { "from": { "address": "johndoe@mimecast.com" }, "message_id": "\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e", + "subject": "RE: MSP Sales of Managed E2E", "to": { "address": "johndoe@example.com" - }, - "subject": "RE: MSP Sales of Managed E2E" + } + }, + "event": { + "action": "hold", + "created": "2021-10-13T16:12:07+0000", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc", + "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \u003cemilydoe@example.com\u003e\",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\u003cPR3P194MB06183A3BE81F0831A8402B47D3B79@PR3P194MB0618.EURP194.PROD.OUTLOOK.COM\u003e\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 2, + "identifiers": [ + "targeted_threat_dictionary", + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "Emily Doe", - "similarDomain": "Emily Doe \u003cemilydoe@example.com\u003e" + "similarDomain": "Emily Doe \u003cemilydoe@example.com\u003e", + "stringSimilarToDomain": "Emily Doe" }, { "impersonationDomainSource": "targeted_threat_dictionary", "stringSimilarToDomain": "who" } ], - "taggedMalicious": true, "taggedExternal": false, - "identifiers": [ - "targeted_threat_dictionary", - "internal_user_name" + "taggedMalicious": true + }, + "related": { + "ip": [ + "67.43.156.15" ] - } + }, + "rule": { + "name": "IP - 2 hits (Hold for Review / User Hold)" + }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index 8b3e430570f..578e4fb6dab 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # Generic event/ecs fields we always want to populated - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-common-config.yml index 5622947e4b8..4da22641654 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-common-config.yml @@ -1,5 +1,3 @@ -dynamic_fields: - event.ingested: ".*" fields: tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index 7531f183166..1d0f4f1d27f 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -1,177 +1,174 @@ { "expected": [ { - "rule": { - "name": "Inbound URL 'Aggressive'" - }, - "source": { - "ip": "67.43.156.15" - }, - "url": { - "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" - }, - "tags": [ - "preserve_original_event" - ], "@timestamp": "2021-10-16T14:45:34.000Z", "ecs": { "version": "1.12.0" }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, - "event": { - "action": "Continue", - "ingested": "2021-12-14T14:48:23.257050639Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"67.43.156.15\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", - "created": "2021-10-16T14:45:34+0000" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" - }, "email": { - "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "direction": "inbound", "from": { "address": "bestbuyinfo@emailinfo.bestbuy.com" }, - "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", - "direction": "inbound" + "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more." + }, + "event": { + "action": "Continue", + "created": "2021-10-16T14:45:34+0000", + "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"67.43.156.15\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }" }, "mimecast": { - "userOverride": "None", "action": "allow", + "actions": "Allow", "adminOverride": "N/A", - "scanResult": "clean", "category": "Business", - "actions": "Allow", "creationMethod": "User Click", "emailPartsDescription": [ "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] - } - }, - { + }, "rule": { "name": "Inbound URL 'Aggressive'" }, "source": { "ip": "67.43.156.15" }, - "url": { - "original": "https://www.livingsocial.com/browse/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0" - }, "tags": [ "preserve_original_event" ], - "@timestamp": "2021-10-16T14:07:38.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, - "event": { - "action": "Continue", - "ingested": "2021-12-14T14:48:23.257055410Z", - "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"noreply@r.livingsocial.com\",\"url\":\"https:\\/\\/www.livingsocial.com\\/browse\\/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"Jump Pass + Mega Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Business\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T14:07:38+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e\"}", - "created": "2021-10-16T14:07:38+0000" + "url": { + "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" }, "user": { - "name": "johndoe", + "domain": "example.com", "email": "johndoe@example.com", - "domain": "example.com" + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-16T14:07:38.000Z", + "ecs": { + "version": "1.12.0" }, "email": { - "message_id": "\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e", + "direction": "inbound", "from": { "address": "noreply@r.livingsocial.com" }, - "subject": "Jump Pass + Mega Sale", - "direction": "inbound" + "message_id": "\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e", + "subject": "Jump Pass + Mega Sale" + }, + "event": { + "action": "Continue", + "created": "2021-10-16T14:07:38+0000", + "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"noreply@r.livingsocial.com\",\"url\":\"https:\\/\\/www.livingsocial.com\\/browse\\/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"Jump Pass + Mega Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Business\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T14:07:38+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e\"}" }, "mimecast": { - "userOverride": "None", "action": "allow", + "actions": "Allow", "adminOverride": "N/A", - "scanResult": "clean", "category": "Business", - "actions": "Allow", "creationMethod": "User Click", "emailPartsDescription": [ "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] - } - }, - { + }, "rule": { "name": "Inbound URL 'Aggressive'" }, "source": { "ip": "67.43.156.15" }, - "url": { - "original": "https://www.nflshop.com/how-can-i-contact-customer-service/ch-2244" - }, "tags": [ "preserve_original_event" ], - "@timestamp": "2021-10-16T13:31:56.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, - "event": { - "action": "Continue", - "ingested": "2021-12-14T14:48:23.257055914Z", - "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"nflshop.com@eml.nflshop.com\",\"url\":\"https:\\/\\/www.nflshop.com\\/how-can-i-contact-customer-service\\/ch-2244\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"25% Off Tees to Give During Early Gifting Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Fashion \u0026 Beauty\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T13:31:56+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e\"}", - "created": "2021-10-16T13:31:56+0000" + "url": { + "original": "https://www.livingsocial.com/browse/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0" }, "user": { - "name": "johndoe", + "domain": "example.com", "email": "johndoe@example.com", - "domain": "example.com" + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-16T13:31:56.000Z", + "ecs": { + "version": "1.12.0" }, "email": { - "message_id": "\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e", + "direction": "inbound", "from": { "address": "nflshop.com@eml.nflshop.com" }, - "subject": "25% Off Tees to Give During Early Gifting Sale", - "direction": "inbound" + "message_id": "\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e", + "subject": "25% Off Tees to Give During Early Gifting Sale" + }, + "event": { + "action": "Continue", + "created": "2021-10-16T13:31:56+0000", + "original": "{\"userEmailAddress\":\"johndoe@example.com\",\"fromUserEmailAddress\":\"nflshop.com@eml.nflshop.com\",\"url\":\"https:\\/\\/www.nflshop.com\\/how-can-i-contact-customer-service\\/ch-2244\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"subject\":\"25% Off Tees to Give During Early Gifting Sale\",\"action\":\"allow\",\"adminOverride\":\"N\\/A\",\"userOverride\":\"None\",\"scanResult\":\"clean\",\"category\":\"Fashion \u0026 Beauty\",\"sendingIp\":\"67.43.156.15\",\"userAwarenessAction\":\"Continue\",\"date\":\"2021-10-16T13:31:56+0000\",\"actions\":\"Allow\",\"route\":\"inbound\",\"creationMethod\":\"User Click\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e\"}" }, "mimecast": { - "userOverride": "None", "action": "allow", + "actions": "Allow", "adminOverride": "N/A", - "scanResult": "clean", "category": "Fashion \u0026 Beauty", - "actions": "Allow", "creationMethod": "User Click", "emailPartsDescription": [ "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] + }, + "rule": { + "name": "Inbound URL 'Aggressive'" + }, + "source": { + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "original": "https://www.nflshop.com/how-can-i-contact-customer-service/ch-2244" + }, + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } } ] diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index 2d8a3e4dde0..a8685b2d7f5 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -2,9 +2,6 @@ description: Pipeline for processing sample logs processors: # Generic event/ecs fields we always want to populated - - set: - field: event.ingested - value: "{{ _ingest.timestamp }}" - set: field: ecs.version value: "1.12.0" diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 957d4fa8ced..c6e27eef374 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.4 +version: 0.0.5 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration @@ -9,7 +9,7 @@ categories: - security release: beta conditions: - kibana.version: "^7.16.0" + kibana.version: "^7.17.0 || ^8.0.0" screenshots: - src: /img/mimecast.png title: Sample screenshot @@ -29,4 +29,4 @@ policy_templates: title: Mimecast API description: Collect logs from Mimecast API owner: - github: elastic/external-security-integrations + github: elastic/security-external-integrations