diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index cd8c3051c0c..8d03a576769 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -23,6 +23,7 @@ /packages/cef @elastic/security-external-integrations /packages/checkpoint @elastic/security-external-integrations /packages/cisco_asa @elastic/security-external-integrations +/packages/cisco_secure_email_gateway @elastic/security-external-integrations /packages/cisco_duo @elastic/security-external-integrations /packages/cisco_ftd @elastic/security-external-integrations /packages/cisco_ios @elastic/security-external-integrations diff --git a/packages/cisco_secure_email_gateway/_dev/build/build.yml b/packages/cisco_secure_email_gateway/_dev/build/build.yml new file mode 100644 index 00000000000..d61527283ec --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/packages/cisco_secure_email_gateway/_dev/build/docs/README.md b/packages/cisco_secure_email_gateway/_dev/build/docs/README.md new file mode 100644 index 00000000000..d705c70b44a --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/build/docs/README.md @@ -0,0 +1,201 @@ +# Cisco Secure Email Gateway + +The [Cisco Email Security Appliance](https://www.cisco.com/c/en/us/products/security/email-security/index.html) integration collects and parses data from Cisco Secure Email Gateway using TCP/UDP and logfile. + +## Compatibility + +This module has been tested against **Cisco Secure Email Gateway server version 14.0.0 Virtual Gateway C100V with the below given logs pattern**. + +## Configurations + +- Sign-in to Cisco Secure Email Gateway Portal and follow the below steps for configurations: + 1. In Cisco Secure Email Gateway Administrator Portal, go to **System Administration** > **Log Subscriptions**. + 2. Click **Add Log Subscription**. + 3. Enter all the **Required Details**. + 4. Set **Log Name** as below for the respective category: + - AMP Engine Logs -> amp + - Anti-Spam Logs -> antispam + - Authentication Logs -> authentication + - Bounce Logs -> bounces + - Consolidated Event Logs -> consolidated_event + - Content Scanner Logs -> content_scanner + - HTTP Logs -> gui_logs + - IronPort Text Mail Logs -> error_logs + - Text Mail Logs -> mail_logs + - Status Logs -> status + - System Logs -> system + 5. Select **Log Level** as Information. + 6. Select **Retrieval Method**. + 7. Click **Submit** and commit the Changes. + +## Note + +- **Retrieval Method** Supported: + - **FTP Push to Remote Server** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Authentication Logs, Bounce Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + - **Syslog Push** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + +## [Sample Logs](https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_14-0/b_ESA_Admin_Guide_ces_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html) +Below are the samples logs of respective category: + +## AMP Engine Logs: +``` +File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec + +Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 + +File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] + +File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists + +File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] + +SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] + +Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. +``` +## Anti-Spam Logs +``` +case antispam - engine (72324) : case-daemon: Initializing Child + +case antispam - engine (15703) : case-daemon: all children killed, exitting + +case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down +``` +## Authentication Logs +``` +The user admin successfully logged on from 1.128.3.4 with privilege admin using an HTTPS connection. + +CLI: User admin logged out from 1.128.3.4 because of inactivity timeout + +GUI: User admin logged out from session d0PfzQa02E8NwMiah2jx because of inactivity timeout + +logout:1.128.3.4 user:admin session:wKV0AK29Ggdhztfl4Sal + +User admin logged out of SSH session 1.128.3.4 + +An authentication attempt by the user admin from 1.128.3.4 failed using an HTTPS connection. + +User admin was authenticated successfully. + +User joe failed authentication. +``` +## Bounce Logs +``` +Bounced: DCID 2 MID 15232 From: To: RID 0 - 5.1.0 - Unknown address error ('550', ['5.1.1 The email account that you tried to reach does not exist. Please try', "5.1.1 double-checking the recipient's email address for typos or", '5.1.1 unnecessary spaces. Learn more at', '5.1.1 xxxxx ay44si12078156oib.94 - gsmtp']) + +Bounced: 123:123 From: To: +``` +## Consolidated Event Logs +``` +CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' +``` +## Content Scanner Logs +``` +PF: Starting multi-threaded Perceptive server (pid=17729) + +PF: Restarting content_scanner service. +``` +## IronPort Text Mail Logs +``` +Quarantine: Failed to connect to quarantine + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). +``` +## HTTP Logs +``` +req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 + +req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - + +Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout + +Session fRK3TSjzhHhoI9CV5Kvt user:admin expired + +Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies + +SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. + +PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... + +Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt' + +SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') + +Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer + +Passphrase has been changed for user admin +``` +## Text Mail Logs +``` +MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. + +graymail [CONFIG] Starting graymail configuration handler + +URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. + +A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". + +New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host example.com verified yes + +Start MID 6 ICID 5 + +MID 6 ICID 5 From: + +MID 6 ICID 5 RID 0 To: + +MID 6 ready 100 bytes from + +ICID 5 close + +New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 + +Delivery start DCID 8 MID 6 to RID [0] + +Message done DCID 8 MID 6 to RID [0] + +DCID 8 close + +URL category definitions have changed. Please check and update your filters to use the new definitions + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. + +Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. +``` +## Status Logs +``` +Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 +``` +## System Logs +``` +PID 1237: User admin commit changes: Added a second CLI log for examples + +lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] + +Failed to bootstrap the DNS resolver. Unable to contact root servers. + +DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' + +Received an invalid DNS Response: '' to IP dummy_ip looking up example.de +``` + +## Logs + +### log + +This is the `log` dataset. + +{{event "log"}} + +{{fields "log"}} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..17578fcdc11 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,20 @@ +version: '2.3' +services: + cisco_secure_email_gateway-logfile: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/*.s /var/log/" + cisco_secure_email_gateway-log-tcp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9519 -p=tcp /sample_logs/log.log" + cisco_secure_email_gateway-log-udp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9520 -p=udp /sample_logs/log.log" diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/amp.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/amp.@123456789.s new file mode 100644 index 00000000000..f998921ab1d --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/amp.@123456789.s @@ -0,0 +1,7 @@ +Fri Mar 25 20:50:10 2022 Info: File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec +Fri Mar 25 20:50:10 2022 Info: Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 +Fri Mar 25 20:50:10 2022 Info: File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] +Fri Mar 25 20:50:10 2022 Info: File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists +Fri Mar 25 20:50:10 2022 Info: File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] +Fri Mar 25 20:50:10 2022 Info: SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] +Fri Mar 25 20:50:10 2022 Info: Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/antispam.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/antispam.@123456789.s new file mode 100644 index 00000000000..7100c140edd --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/antispam.@123456789.s @@ -0,0 +1,3 @@ +Fri Mar 25 20:50:10 2022 Info: case antispam - engine (72324) : case-daemon: Initializing Child +Fri Mar 25 20:50:10 2022 Info: case antispam - engine (15703) : case-daemon: all children killed, exitting +Fri Mar 25 20:50:10 2022 Info: case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/authentication.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/authentication.@123456789.s new file mode 100644 index 00000000000..7b290abf588 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/authentication.@123456789.s @@ -0,0 +1,8 @@ +Fri Apr 1 07:06:22 2022 Info: The user admin successfully logged on from 1.128.3.4 with privilege admin using an HTTPS connection. +Fri Mar 25 20:50:10 2022 Info: CLI: User admin logged out from 1.128.3.4 because of inactivity timeout +Mon Mar 28 05:41:57 2022 Info: GUI: User admin logged out from session d0PfzQa02E8NwMiah2jx because of inactivity timeout +Fri Mar 25 20:50:10 2022 Info: logout:1.128.3.4 user:admin session:wKV0AK29Ggdhztfl4Sal +Fri Mar 25 20:50:10 2022 Info: User admin logged out of SSH session 1.128.3.4 +Fri Mar 25 20:50:10 2022 Info: An authentication attempt by the user admin from 1.128.3.4 failed using an HTTPS connection. +Fri Mar 25 20:50:10 2022 Info: User admin was authenticated successfully. +Fri Mar 25 20:50:10 2022 Info: User joe failed authentication. diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/bounces.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/bounces.@123456789.s new file mode 100644 index 00000000000..40abcf2c6b1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/bounces.@123456789.s @@ -0,0 +1,2 @@ +Wed Jan 29 00:06:30 2003 Info: Bounced: DCID 2 MID 15232 From: To: RID 0 - 5.1.0 - Unknown address error ('550', ['5.1.1 The email account that you tried to reach does not exist. Please try', "5.1.1 double-checking the recipient's email address for typos or", '5.1.1 unnecessary spaces. Learn more at', '5.1.1 xxxxx ay44si12078156oib.94 - gsmtp']) +Wed Jan 29 00:06:30 2003 Info: Bounced: 123:123 From: To: diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/consolidated_event.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/consolidated_event.@123456789.s new file mode 100644 index 00000000000..80b311af868 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/consolidated_event.@123456789.s @@ -0,0 +1 @@ +Fri Mar 25 20:50:10 2022 CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/content_scanner.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/content_scanner.@123456789.s new file mode 100644 index 00000000000..0220cdd4c40 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/content_scanner.@123456789.s @@ -0,0 +1,2 @@ +Fri Mar 25 20:50:10 2022 Info: PF: Starting multi-threaded Perceptive server (pid=17729) +Fri Mar 25 20:50:10 2022 Info: PF: Restarting content_scanner service. diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/error_logs.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/error_logs.@123456789.s new file mode 100644 index 00000000000..ac599ba8c89 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/error_logs.@123456789.s @@ -0,0 +1,4 @@ +Fri Mar 25 20:50:10 2022 Info: Quarantine: Failed to connect to quarantine +Fri Mar 25 20:50:10 2022 Info: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +Fri Mar 25 20:50:10 2022 Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +Fri Mar 25 20:50:10 2022 Info: Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/gui_logs.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/gui_logs.@123456789.s new file mode 100644 index 00000000000..12f564ac3e6 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/gui_logs.@123456789.s @@ -0,0 +1,11 @@ +Fri Mar 25 20:50:10 2022 Info: req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 +Fri Mar 25 20:50:10 2022 Info: req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - +Fri Mar 25 20:50:10 2022 Info: Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout +Fri Mar 25 20:50:10 2022 Info: Session fRK3TSjzhHhoI9CV5Kvt user:admin expired +Fri Mar 25 20:50:10 2022 Info: Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies +Fri Mar 25 20:50:10 2022 Info: SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. +Fri Mar 25 20:50:10 2022 Info: PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... +Fri Mar 25 20:50:10 2022 Warning: Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt' +Fri Mar 25 20:50:10 2022 Warning: SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') +Fri Mar 25 20:50:10 2022 Info: Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer +Fri Mar 25 20:50:10 2022 Info: Passphrase has been changed for user admin diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/log.log b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/log.log new file mode 100644 index 00000000000..49913a70731 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/log.log @@ -0,0 +1,54 @@ +<166>Mar 17 18:24:37 amp: Info: File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec +<166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 +<166>Mar 17 18:24:37 amp: Info: File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] +<166>Mar 17 18:24:37 amp: Info: File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists +<166>Mar 17 18:24:37 amp: Info: File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] +<166>Mar 17 18:24:37 amp: Info: SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] +<166>Mar 17 18:24:37 amp: Info: Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (72324) : case-daemon: Initializing Child +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: all children killed, exitting +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down +<166>Mar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' +<166>Mar 17 18:31:14 content_scanner: Info: PF: Starting multi-threaded Perceptive server (pid=17729) +<166>Mar 17 18:31:14 content_scanner: Info: PF: Restarting content_scanner service. +<166>Mar 17 18:31:14 error_logs: Info: Quarantine: Failed to connect to quarantine +<166>Mar 17 18:31:14 error_logs: Info: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +<166>Mar 17 18:31:14 error_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +<166>Mar 17 18:31:14 error_logs: Info: Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). +<166>Mar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 +<166>Mar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - +<166>Mar 17 18:31:14 gui_logs: Info: Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout +<166>Mar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt user:admin expired +<166>Mar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies +<166>Mar 17 18:31:14 gui_logs: Info: SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. +<166>Mar 17 18:31:14 gui_logs: Info: PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... +<166>Mar 17 18:31:14 gui_logs: Warning: Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/vtl/xxx.txt' +<166>Mar 17 18:31:14 gui_logs: Warning: SSL error with client 0.0.0.0:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') +<166>Mar 17 18:31:14 gui_logs: Info: Error in https connection from host 0.0.0.0 port 000 - [Errno 54] Connection reset by peer +<166>Mar 17 18:31:14 gui_logs: Info: Passphrase has been changed for user admin +<182>Mar 30 15:12:26 status: Info: Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 +<166>Mar 17 18:31:14 system: Info: PID 1237: User admin commit changes: Added a second CLI log for examples +<166>Mar 17 18:31:14 system: Info: lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] +<166>Mar 17 18:31:14 system: Warning: Failed to bootstrap the DNS resolver. Unable to contact root servers. +<166>Mar 17 18:31:14 system: Warning: DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' +<166>Mar 17 18:31:14 system: Warning: Received an invalid DNS Response: '' to IP dummy_ip looking up example.de +<166>Mar 17 18:24:37 mail_logs: Info: MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. +<166>Mar 17 18:24:37 mail_logs: Info: graymail [CONFIG] Starting graymail configuration handler +<166>Mar 17 18:24:37 mail_logs: Info: URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. +<166>Mar 17 18:24:37 mail_logs: Info: A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". +<166>Mar 17 18:24:37 mail_logs: Info: New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host xxx.com verified yes +<166>Mar 17 18:24:37 mail_logs: Info: Start MID 6 ICID 5 +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 From: +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 RID 0 To: +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ready 100 bytes from +<166>Mar 17 18:24:37 mail_logs: Info: ICID 5 close +<166>Mar 17 18:24:37 mail_logs: Info: New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 +<166>Mar 17 18:24:37 mail_logs: Info: Delivery start DCID 8 MID 6 to RID [0] +<166>Mar 17 18:24:37 mail_logs: Info: Message done DCID 8 MID 6 to RID [0] +<166>Mar 17 18:24:37 mail_logs: Info: DCID 8 close +<166>Mar 17 18:24:37 mail_logs: Warning: URL category definitions have changed. Please check and update your filters to use the new definitions +<166>Mar 17 18:24:37 mail_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +<166>Mar 17 18:24:37 mail_logs: Warning: Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. +<166>Mar 17 18:24:37 mail_logs: Info: Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. +<166>Mar 17 18:24:37 mail_logs: Critical: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +<166>Mar 17 18:24:37 mail_logs: Warning: Internal SMTP Error: Failed to send message to host 0.0.0.0:000 for recipient example.com: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/mail_logs.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/mail_logs.@123456789.s new file mode 100644 index 00000000000..5f05fa2cd2a --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/mail_logs.@123456789.s @@ -0,0 +1,20 @@ +Fri Mar 25 20:50:10 2022 Info: MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. +Fri Mar 25 20:50:10 2022 Info: graymail [CONFIG] Starting graymail configuration handler +Fri Mar 25 20:50:10 2022 Info: URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. +Fri Mar 25 20:50:10 2022 Info: A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". +Fri Mar 25 20:50:10 2022 Info: New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host example.com verified yes +Fri Mar 25 20:50:10 2022 Info: Start MID 6 ICID 5 +Fri Mar 25 20:50:10 2022 Info: MID 6 ICID 5 From: +Fri Mar 25 20:50:10 2022 Info: MID 6 ICID 5 RID 0 To: +Fri Mar 25 20:50:10 2022 Info: MID 6 ready 100 bytes from +Fri Mar 25 20:50:10 2022 Info: ICID 5 close +Fri Mar 25 20:50:10 2022 Info: New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 +Fri Mar 25 20:50:10 2022 Info: Delivery start DCID 8 MID 6 to RID [0] +Fri Mar 25 20:50:10 2022 Info: Message done DCID 8 MID 6 to RID [0] +Fri Mar 25 20:50:10 2022 Info: DCID 8 close +Fri Mar 25 20:50:10 2022 Warning: URL category definitions have changed. Please check and update your filters to use the new definitions +Fri Mar 25 20:50:10 2022 Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +Fri Mar 25 20:50:10 2022 Warning: Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. +Fri Mar 25 20:50:10 2022 Info: Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. +Fri Mar 25 20:50:10 2022 Critical: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +Fri Mar 25 20:50:10 2022 Warning: Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/status.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/status.@123456789.s new file mode 100644 index 00000000000..df023879178 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/status.@123456789.s @@ -0,0 +1 @@ +Fri Mar 25 20:50:10 2022 Info: Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 diff --git a/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/system.@123456789.s b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/system.@123456789.s new file mode 100644 index 00000000000..904c67068d1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/_dev/deploy/docker/sample_logs/system.@123456789.s @@ -0,0 +1,5 @@ +Fri Mar 25 20:50:10 2022 Info: PID 1237: User admin commit changes: Added a second CLI log for examples +Fri Mar 25 20:50:10 2022 Info: lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] +Fri Mar 25 20:50:10 2022 Warning: Failed to bootstrap the DNS resolver. Unable to contact root servers. +Fri Mar 25 20:50:10 2022 Warning: DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' +Fri Mar 25 20:50:10 2022 Warning: Received an invalid DNS Response: '' to IP dummy_ip looking up example.de diff --git a/packages/cisco_secure_email_gateway/changelog.yml b/packages/cisco_secure_email_gateway/changelog.yml new file mode 100644 index 00000000000..2647aa64d82 --- /dev/null +++ b/packages/cisco_secure_email_gateway/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/3040 diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log new file mode 100644 index 00000000000..ec0e0389796 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log @@ -0,0 +1,7 @@ +<166>Mar 17 18:24:37 amp: Info: File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec +<166>Mar 17 18:24:37 amp: Info: Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 +<166>Mar 17 18:24:37 amp: Info: File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] +<166>Mar 17 18:24:37 amp: Info: File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists +<166>Mar 17 18:24:37 amp: Info: File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] +<166>Mar 17 18:24:37 amp: Info: SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] +<166>Mar 17 18:24:37 amp: Info: Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json new file mode 100644 index 00000000000..5665deb4382 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-amp.log-expected.json @@ -0,0 +1,329 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "name": "mod-6.exe", + "size": 1673216 + } + }, + "content_type": "application/x-dosexec", + "message_id": "5" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "disposition": "MALICIOUS", + "malware": "W32.061DEF69B5-100.SBX.TG", + "message": "Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2", + "reputation_score": "73", + "upload": { + "action": "2" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19" + }, + "name": "mod-6.exe" + } + }, + "message_id": "5" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "details": "Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc]", + "disposition": "3", + "message": "File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG]", + "run_id": "194926004", + "score": 100, + "spy_name": "W32.16454AFF50-100.SBX.TG", + "submit": { + "timestamp": "2016-10-07T07:31:06.000Z" + }, + "update": { + "timestamp": "2016-10-07T07:39:13.000Z" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc" + } + } + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82" + }, + "mime_type": "text/plain" + } + }, + "message_id": "0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists", + "reason": "No active/dynamic contents exists" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "backoff": 986, + "category": { + "name": "amp" + }, + "details": "discarding ...", + "message": "File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...]", + "retries": 3, + "submit": { + "timestamp": "2016-02-06T18:22:56.000Z" + }, + "upload": { + "priority": "Low" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef" + }, + "mime_type": "application/pdf" + } + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]]", + "server_error_details": "Server Response HTTP code:[502]", + "submit": { + "timestamp": "2016-02-08T19:23:29.000Z" + } + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5" + } + } + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX.", + "reputation_score": "0", + "spy_name": "W32.16454AFF50-100.SBX.", + "submit": { + "timestamp": "2016-10-07T09:33:35.700Z" + }, + "verdict": "MALICIOUS" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": { + "file": { + "hash": { + "sha256": "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc" + } + } + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 amp: Info: Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "hash": [ + "16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log new file mode 100644 index 00000000000..d6ee8bede76 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log @@ -0,0 +1,3 @@ +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (72324) : case-daemon: Initializing Child +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: all children killed, exitting +<166>Mar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json new file mode 100644 index 00000000000..181055ec034 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-anti-spam.log-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "case_id": "72324", + "category": { + "name": "antispam" + }, + "message": "case antispam - engine (72324) : case-daemon: Initializing Child", + "object_category": "antispam - engine", + "result": "Initializing Child" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 antispam: Info: case antispam - engine (72324) : case-daemon: Initializing Child" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "case_id": "15703", + "category": { + "name": "antispam" + }, + "message": "case antispam - engine (15703) : case-daemon: all children killed, exitting", + "object": "children", + "object_category": "antispam - engine", + "result": "exitting" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: all children killed, exitting" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "case_id": "15703", + "category": { + "name": "antispam" + }, + "command": "SIGHUP", + "message": "case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down", + "object": "server", + "object_category": "antispam - engine", + "result": "shutting down" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 antispam: Info: case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log new file mode 100644 index 00000000000..48303452f88 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log @@ -0,0 +1,2 @@ +<166>Mar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' +<166>Mar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=95.2 ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json new file mode 100644 index 00000000000..fa88359cf96 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-consolidated-event.log-expected.json @@ -0,0 +1,207 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "act": "QUARANTINED", + "appliance": { + "product": "C100V Email Security Virtual Appliance", + "vendor": "Cisco", + "version": "14.0.0-657" + }, + "category": { + "name": "consolidated_event" + }, + "cef_format_version": "0", + "cfp1_label": "SBRSScore", + "cs1": "DEFAULT", + "cs1_label": "MailPolicy", + "cs3": "N/A", + "cs3_label": "SDRThreatCategory", + "cs4": "example.com", + "cs4_label": "ExternalMsgID", + "cs6": "Weak", + "cs6_label": "SDRRepScore", + "data": { + "ip": "1.128.3.4" + }, + "device_direction": "incoming", + "esa": { + "amp_verdict": "UNKNOWN", + "as_verdict": "NEGATIVE", + "attachment_details": "'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}", + "av_verdict": "NEGATIVE", + "content_filter_verdict": "MATCH", + "dlp_verdict": "NOT_EVALUATED", + "final_action_details": "To POLICY", + "friendly_from": "example.com", + "graymail_verdict": "NEGATIVE", + "helo": { + "ip": "1.128.3.4" + }, + "injection_connection_id": "134", + "mail_flow_policy": "ACCEPT", + "mf_verdict": "NOT_EVALUATED", + "msg_size": 11873, + "outbreak_filter_verdict": "POSITIVE", + "sdr_consolidated_domain_age": "27 years 2 months 15 days", + "sender_group": "UNKNOWNLIST", + "spf_verdict": "{'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}}" + }, + "event": { + "name": "Consolidated Log Event" + }, + "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "listener": { + "name": "Incomingmail" + }, + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='\u003cexample.com\u003e' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing'" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": "example.com" + }, + "message_id": "1053", + "subject": "Testing", + "to": { + "address": "example.com" + } + }, + "event": { + "end": "Thu Mar 18 08:04:46 2021", + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='\u003cexample.com\u003e' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing'", + "severity": "5", + "start": "Thu Mar 18 08:04:29 2021" + }, + "host": { + "id": "42127C7DDEE76852677B-F80CE8074CD3" + }, + "log": { + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "domain": "unknown", + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "act": "QUARANTINED", + "appliance": { + "product": "C100V Email Security Virtual Appliance", + "vendor": "Cisco", + "version": "14.0.0-657" + }, + "category": { + "name": "consolidated_event" + }, + "cef_format_version": "0", + "cfp1": 95.2, + "cfp1_label": "SBRSScore", + "cs1": "DEFAULT", + "cs1_label": "MailPolicy", + "cs3": "N/A", + "cs3_label": "SDRThreatCategory", + "cs4": "example.com", + "cs4_label": "ExternalMsgID", + "cs6": "Weak", + "cs6_label": "SDRRepScore", + "data": { + "ip": "1.128.3.4" + }, + "device_direction": "incoming", + "esa": { + "amp_verdict": "UNKNOWN", + "as_verdict": "NEGATIVE", + "attachment_details": "'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}", + "av_verdict": "NEGATIVE", + "content_filter_verdict": "MATCH", + "dlp_verdict": "NOT_EVALUATED", + "final_action_details": "To POLICY", + "friendly_from": "example.com", + "graymail_verdict": "NEGATIVE", + "helo": { + "ip": "1.128.3.4" + }, + "injection_connection_id": "134", + "mail_flow_policy": "ACCEPT", + "mf_verdict": "NOT_EVALUATED", + "msg_size": 11873, + "outbreak_filter_verdict": "POSITIVE", + "sdr_consolidated_domain_age": "27 years 2 months 15 days", + "sender_group": "UNKNOWNLIST", + "spf_verdict": "{'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}}" + }, + "event": { + "name": "Consolidated Log Event" + }, + "event_class_id": "ESA_CONSOLIDATED_LOG_EVENT", + "listener": { + "name": "Incomingmail" + }, + "message": "CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='\u003cexample.com\u003e' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=95.2 ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing'" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": "example.com" + }, + "message_id": "1053", + "subject": "Testing", + "to": { + "address": "example.com" + } + }, + "event": { + "end": "Thu Mar 18 08:04:46 2021", + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 consolidated_event: CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='\u003cexample.com\u003e' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=95.2 ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing'", + "severity": "5", + "start": "Thu Mar 18 08:04:29 2021" + }, + "host": { + "id": "42127C7DDEE76852677B-F80CE8074CD3" + }, + "log": { + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "domain": "unknown", + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log new file mode 100644 index 00000000000..2e6a8025daa --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log @@ -0,0 +1,2 @@ +<166>Mar 17 18:31:14 content_scanner: Info: PF: Starting multi-threaded Perceptive server (pid=17729) +<166>Mar 17 18:31:14 content_scanner: Info: PF: Restarting content_scanner service. diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json new file mode 100644 index 00000000000..ed64ac1a326 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-content-scanner.log-expected.json @@ -0,0 +1,66 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "content_scanner" + }, + "message": "PF: Starting multi-threaded Perceptive server (pid=17729)", + "object_category": "multi-threaded Perceptive server", + "vendor_action": "Starting" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 content_scanner: Info: PF: Starting multi-threaded Perceptive server (pid=17729)" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "process": { + "pid": 17729 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "content_scanner" + }, + "message": "PF: Restarting content_scanner service.", + "object": "content_scanner", + "object_category": "service.", + "vendor_action": "Restarting" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 content_scanner: Info: PF: Restarting content_scanner service." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log new file mode 100644 index 00000000000..aa2cc75147f --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log @@ -0,0 +1,4 @@ +<166>Mar 17 18:31:14 error_logs: Info: Quarantine: Failed to connect to quarantine +<166>Mar 17 18:31:14 error_logs: Info: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +<166>Mar 17 18:31:14 error_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +<166>Mar 17 18:31:14 error_logs: Info: Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json new file mode 100644 index 00000000000..152f21d31d8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-error.log-expected.json @@ -0,0 +1,151 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "alert_category": "Quarantine", + "category": { + "name": "error_logs" + }, + "description": "Failed to connect to quarantine", + "message": "Quarantine: Failed to connect to quarantine" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 error_logs: Info: Quarantine: Failed to connect to quarantine", + "type": [ + "error" + ] + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "error_logs" + }, + "message": "Internal SMTP giving up on message to example.com with subject 'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 error_logs: Info: Internal SMTP giving up on message to example.com with subject 'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error.", + "type": [ + "error" + ] + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "error_logs" + }, + "description": "Error while sending alert", + "message": "Error while sending alert: Unable to send System/Warning alert to example.com with subject \"Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...\"." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "alert", + "original": "\u003c166\u003eMar 17 18:31:14 error_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject \"Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...\".", + "type": [ + "error" + ] + }, + "log": { + "level": "critical", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "error_logs" + }, + "message": "Internal SMTP system attempting to send a message to example.com with subject 'Critical \u003cSystem\u003e example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0)." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "'Critical \u003cSystem\u003e example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0)", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 error_logs: Info: Internal SMTP system attempting to send a message to example.com with subject 'Critical \u003cSystem\u003e example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0).", + "type": [ + "error" + ] + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log new file mode 100644 index 00000000000..cc2f6d8f5a4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log @@ -0,0 +1,11 @@ +<166>Mar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 +<166>Mar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - +<166>Mar 17 18:31:14 gui_logs: Info: Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout +<166>Mar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt user:admin expired +<166>Mar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies +<166>Mar 17 18:31:14 gui_logs: Info: SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. +<166>Mar 17 18:31:14 gui_logs: Info: PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... +<166>Mar 17 18:31:14 gui_logs: Warning: Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt' +<166>Mar 17 18:31:14 gui_logs: Warning: SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') +<166>Mar 17 18:31:14 gui_logs: Info: Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer +<166>Mar 17 18:31:14 gui_logs: Info: Passphrase has been changed for user admin diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json new file mode 100644 index 00000000000..a20c4814031 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-gui-log.log-expected.json @@ -0,0 +1,470 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "message": "req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36" + } + }, + "client": { + "ip": "1.128.3.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "web" + ], + "id": "2v10z5fEuDsvhdbVE6Ck", + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36", + "type": [ + "access" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + }, + "version": "1.1" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "path": "xxx.png" + }, + "user": { + "name": "admin" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.4844.51" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "message": "req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 -" + } + }, + "client": { + "ip": "1.128.3.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "web" + ], + "id": "2v10z5fEuDsvhdbVE6Ck", + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 -", + "type": [ + "access" + ] + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "status_code": 200 + }, + "version": "1.1" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "path": "xxx.png" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "action": "logged out", + "category": { + "name": "gui_logs" + }, + "message": "Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout", + "session": "5GPz0QDlfxUYQ0Y3PgYN" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "session" + ], + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout", + "type": [ + "end" + ] + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "message": "Session fRK3TSjzhHhoI9CV5Kvt user:admin expired", + "result": "expired", + "session": "fRK3TSjzhHhoI9CV5Kvt" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "session" + ], + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt user:admin expired", + "type": [ + "end" + ] + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "destination": "/mail_policies/email_security_manager/incoming_mail_policies", + "message": "Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies", + "session": "fRK3TSjzhHhoI9CV5Kvt" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies" + }, + "host": { + "ip": "1.128.3.4" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "action": "The HTTPS session has been established successfully.", + "category": { + "name": "gui_logs" + }, + "destination": "/login", + "message": "SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully.", + "privilege": "admin", + "session": "5GPz0QDlfxUYQ0Y3PgYN" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully." + }, + "host": { + "ip": "1.128.3.4" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "description": "No root directory for Periodic Reports Archive. Probably, running first time...", + "message": "PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time...", + "subject": "PERIODIC REPORTS" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time..." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "description": "OS error opening URL 'http://example.com/xxxxx/xxxxx.txt'", + "message": "Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt'", + "subject": "Could not fetch current Virus Threat Level" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Warning: Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt'" + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "description": "336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown'", + "message": "SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown')", + "subject": "SSL error with client" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Warning: SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown')" + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "ip": "1.128.3.4", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "gui_logs" + }, + "description": "[Errno 54] Connection reset by peer", + "message": "Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer", + "subject": "Error in https connection from host" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "ip": "1.128.3.4", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "action": "changed", + "category": { + "name": "gui_logs" + }, + "message": "Passphrase has been changed for user admin", + "object": "Passphrase" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 gui_logs: Info: Passphrase has been changed for user admin" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "related": { + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log new file mode 100644 index 00000000000..ec6b6dbe354 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log @@ -0,0 +1 @@ +<182>Mar 30 15:12:26 status: Info: Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json new file mode 100644 index 00000000000..6bc283a8263 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-status.log-expected.json @@ -0,0 +1,119 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-30T15:12:26.000Z", + "cisco_secure_email_gateway": { + "log": { + "5xx_hard_bounces": 0, + "active_recipients": 0, + "attempted_recipients": 0, + "bmld": 0, + "cache": { + "exceptions": 0, + "expired": 0, + "hits": 0, + "misses": 0 + }, + "case_ld": 0, + "category": { + "name": "status" + }, + "cmrkld": 0, + "completed_recipients": 0, + "cpu": { + "elapsed_time": 32182, + "total_time": 91, + "utilization": 0 + }, + "crt": { + "delivery_connection_id": "1", + "injection_connection_id": "0" + }, + "current": { + "inbound_connections": 0, + "outbound_connections": 0 + }, + "deleted_recipients": 0, + "delivered_recipients": 0, + "destination_memory": 3, + "disk_io": 0, + "dns": { + "hard_bounces": 0, + "requests": 0 + }, + "dropped_messages": 0, + "encryption_queue": 0, + "estimated": { + "quarantine": 0, + "quarantine_release_queue": 0 + }, + "expired_hard_bounces": 0, + "filter_hard_bounces": 0, + "generated_bounce_recipients": 0, + "global_unsubscribe_hits": 0, + "hard_bounce_recipients": 0, + "injected": { + "bytes": 0, + "messages": 0, + "recipients": 0 + }, + "log_available": "148G", + "log_used": 5, + "max_io": 487, + "mcafee_ld": 0, + "message": "Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0", + "messages_length": 0, + "network_requests": 0, + "other_hard_bounces": 0, + "quarantine": { + "load": 0, + "messages": 0, + "queue_kilobytes_used": 0 + }, + "queue_kilobytes_free": 8388608, + "queue_kilobytes_usd": 0, + "ram": { + "used": 125195690, + "utilization": 1 + }, + "rejected_recipients": 0, + "reporting_load": 0, + "resource_conservation": 0, + "soft_bounced_events": 0, + "sophos_ld": 99, + "swap_usage": "0%", + "swapped": { + "in": 338, + "out": 681, + "page": { + "in": 2123, + "out": 7156 + } + }, + "total_ld": 47, + "unattempted_recipients": 0, + "work_queue": 0 + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "0" + }, + "event": { + "kind": "event", + "original": "\u003c182\u003eMar 30 15:12:26 status: Info: Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0" + }, + "log": { + "level": "info", + "syslog": { + "priority": 182 + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log new file mode 100644 index 00000000000..6cf8f68122a --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log @@ -0,0 +1,5 @@ +<166>Mar 17 18:31:14 system: Info: PID 1237: User admin commit changes: Added a second CLI log for examples +<166>Mar 17 18:31:14 system: Info: lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] +<166>Mar 17 18:31:14 system: Warning: Failed to bootstrap the DNS resolver. Unable to contact root servers. +<166>Mar 17 18:31:14 system: Warning: DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' +<166>Mar 17 18:31:14 system: Warning: Received an invalid DNS Response: '' to IP dummy_ip looking up example.de diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json new file mode 100644 index 00000000000..47e7f10c1e0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-system.log-expected.json @@ -0,0 +1,163 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "system" + }, + "commit_changes": " Added a second CLI log for examples", + "message": "PID 1237: User admin commit changes: Added a second CLI log for examples" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 system: Info: PID 1237: User admin commit changes: Added a second CLI log for examples" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "process": { + "pid": 1237 + }, + "related": { + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "system" + }, + "message": "lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')]", + "name": "lame DNS referral", + "ns_name": "example.net", + "qname": "example.net", + "ref_zone": "example.net", + "referrals": "[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')]", + "zone": "example.net" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 system: Info: lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "system" + }, + "description": "Unable to contact root servers.", + "message": "Failed to bootstrap the DNS resolver. Unable to contact root servers.", + "subject": "Failed to bootstrap the DNS resolver" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 system: Warning: Failed to bootstrap the DNS resolver. Unable to contact root servers." + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "system" + }, + "description": "dummy_ip' looking up", + "message": "DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' '", + "subject": "DNS query network error '[Errno 51] Network is unreachable'" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 system: Warning: DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' '" + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:31:14.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "system" + }, + "description": "'' to IP dummy_ip looking up example.de", + "message": "Received an invalid DNS Response: '' to IP dummy_ip looking up example.de", + "subject": "Received an invalid DNS Response" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:31:14 system: Warning: Received an invalid DNS Response: '' to IP dummy_ip looking up example.de" + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log new file mode 100644 index 00000000000..e5386664db1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log @@ -0,0 +1,20 @@ +<166>Mar 17 18:24:37 mail_logs: Info: MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. +<166>Mar 17 18:24:37 mail_logs: Info: graymail [CONFIG] Starting graymail configuration handler +<166>Mar 17 18:24:37 mail_logs: Info: URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. +<166>Mar 17 18:24:37 mail_logs: Info: A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". +<166>Mar 17 18:24:37 mail_logs: Info: New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host http://example.com/example/example.txt.com verified yes +<166>Mar 17 18:24:37 mail_logs: Info: Start MID 6 ICID 5 +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 From: +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 RID 0 To: +<166>Mar 17 18:24:37 mail_logs: Info: MID 6 ready 100 bytes from +<166>Mar 17 18:24:37 mail_logs: Info: ICID 5 close +<166>Mar 17 18:24:37 mail_logs: Info: New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 +<166>Mar 17 18:24:37 mail_logs: Info: Delivery start DCID 8 MID 6 to RID [0] +<166>Mar 17 18:24:37 mail_logs: Info: Message done DCID 8 MID 6 to RID [0] +<166>Mar 17 18:24:37 mail_logs: Info: DCID 8 close +<166>Mar 17 18:24:37 mail_logs: Warning: URL category definitions have changed. Please check and update your filters to use the new definitions +<166>Mar 17 18:24:37 mail_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". +<166>Mar 17 18:24:37 mail_logs: Warning: Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. +<166>Mar 17 18:24:37 mail_logs: Info: Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. +<166>Mar 17 18:24:37 mail_logs: Critical: Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. +<166>Mar 17 18:24:37 mail_logs: Warning: Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json new file mode 100644 index 00000000000..144dcc61c20 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/pipeline/test-common-text-mail.log-expected.json @@ -0,0 +1,685 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "description": "DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'.", + "message": "MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'.", + "risk_factor": 15, + "severity": "LOW", + "subject": "DLP violation" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "111" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "graymail [CONFIG] Starting graymail configuration handler", + "object": "graymail configuration handler", + "vendor_action": "Starting" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: graymail [CONFIG] Starting graymail configuration handler" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service.", + "object": "URL Reputation client service", + "object_attr": "Configuration", + "type": "changed", + "vendor_action": "restart" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service.", + "type": "change" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "A System/Warning alert was sent to example.com with subject \"Warning \u003cSystem\u003e cisco.esa: URL category definitions have changed.; Added new category '...\"." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "\"Warning \u003cSystem\u003e cisco.esa: URL category definitions have changed.; Added new category '...\"", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "alert", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: A System/Warning alert was sent to example.com with subject \"Warning \u003cSystem\u003e cisco.esa: URL category definitions have changed.; Added new category '...\"." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "address": "1.128.3.4", + "category": { + "name": "mail_logs" + }, + "connection_status": "New", + "injection_connection_id": "5", + "interface": "1.128.3.4", + "message": "New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host http://example.com/example/example.txt.com verified yes", + "verified": "yes" + } + }, + "dns": { + "question": { + "name": "http://example.com/example/example.txt.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host http://example.com/example/example.txt.com verified yes" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "connection_status": "Start", + "injection_connection_id": "5", + "message": "Start MID 6 ICID 5" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "6" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: Start MID 6 ICID 5" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "injection_connection_id": "5", + "message": "MID 6 ICID 5 From: \u003cexample.com\u003e" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "example.com" + }, + "message_id": "6" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 From: \u003cexample.com\u003e" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "injection_connection_id": "5", + "message": "MID 6 ICID 5 RID 0 To: \u003cexample.com\u003e", + "recipient_id": "0" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "6", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: MID 6 ICID 5 RID 0 To: \u003cexample.com\u003e" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "MID 6 ready 100 bytes from \u003cexample.com\u003e", + "read_bytes": 100 + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "example.com" + }, + "message_id": "6" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: MID 6 ready 100 bytes from \u003cexample.com\u003e" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "connection_status": "close", + "injection_connection_id": "5", + "message": "ICID 5 close" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: ICID 5 close" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "address": "1.128.3.4", + "category": { + "name": "mail_logs" + }, + "delivery_connection_id": "8", + "interface": "1.128.3.4", + "message": "New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4", + "message_status": "New" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "delivery_connection_id": "8", + "message": "Delivery start DCID 8 MID 6 to RID [0]", + "message_status": "Delivery start", + "recipient_id": "0" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "6" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: Delivery start DCID 8 MID 6 to RID [0]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "delivery_connection_id": "8", + "message": "Message done DCID 8 MID 6 to RID [0]", + "message_status": "Message done", + "recipient_id": "0" + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "message_id": "6" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: Message done DCID 8 MID 6 to RID [0]" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "connection_status": "close", + "delivery_connection_id": "8", + "message": "DCID 8 close" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: DCID 8 close" + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "description": "Please check and update your filters to use the new definitions", + "message": "URL category definitions have changed. Please check and update your filters to use the new definitions", + "subject": "URL category definitions have changed" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Warning: URL category definitions have changed. Please check and update your filters to use the new definitions" + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "description": "Error while sending alert", + "message": "Error while sending alert: Unable to send System/Warning alert to example.com with subject \"Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...\"." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "alert", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Critical: Error while sending alert: Unable to send System/Warning alert to example.com with subject \"Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...\"." + }, + "log": { + "level": "critical", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "description": "Please contact your authorized Cisco sales representative.", + "message": "Your \"IronPort Anti-Spam\" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative.", + "subject": "Your \"IronPort Anti-Spam\" key will expire in under 60 day(s)" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Warning: Your \"IronPort Anti-Spam\" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative." + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "Internal SMTP system successfully sent a message to example.com with subject 'Warning \u003cSystem\u003e cisco.esa: Your \"Sophos Anti-Virus\" key will expire in under 60 day(s)....'." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "'Warning \u003cSystem\u003e cisco.esa: Your \"Sophos Anti-Virus\" key will expire in under 60 day(s)....'", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Info: Internal SMTP system successfully sent a message to example.com with subject 'Warning \u003cSystem\u003e cisco.esa: Your \"Sophos Anti-Virus\" key will expire in under 60 day(s)....'." + }, + "log": { + "level": "info", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "message": "Internal SMTP giving up on message to example.com with subject 'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error." + } + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "subject": "'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error", + "to": { + "address": "example.com" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Critical: Internal SMTP giving up on message to example.com with subject 'Warning \u003cSystem\u003e example.com: Your \"IronPort Email Encryption\" key will expire in under 60...': Unrecoverable error." + }, + "log": { + "level": "critical", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-17T18:24:37.000Z", + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "mail_logs" + }, + "description": "Failed to send message", + "message": "Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response \"553\", expecting code starting with \"2\", response was ['#5.1.8 Domain of sender address \u003cexample.com\u003e does not exist'].", + "subject": "Unexpected SMTP response \"553\", expecting code starting with \"2\", response was ['#5.1.8 Domain of sender address \u003cexample.com\u003e does not exist']." + } + }, + "destination": { + "ip": "1.128.3.4", + "port": 0 + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "to": { + "address": "example" + } + }, + "event": { + "kind": "event", + "original": "\u003c166\u003eMar 17 18:24:37 mail_logs: Warning: Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response \"553\", expecting code starting with \"2\", response was ['#5.1.8 Domain of sender address \u003cexample.com\u003e does not exist']." + }, + "log": { + "level": "warning", + "syslog": { + "priority": 166 + } + }, + "network": { + "protocol": "smtp" + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..acb2bef5512 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,7 @@ +service: cisco_secure_email_gateway-logfile +input: logfile +vars: ~ +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.s" diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..00026c924c6 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,8 @@ +service: cisco_secure_email_gateway-log-tcp +service_notify_signal: SIGHUP +input: tcp +vars: ~ +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9519 diff --git a/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..5cc0200bc60 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,8 @@ +service: cisco_secure_email_gateway-log-udp +service_notify_signal: SIGHUP +input: udp +vars: ~ +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9520 diff --git a/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/stream.yml.hbs new file mode 100644 index 00000000000..37e98f82cb9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/stream.yml.hbs @@ -0,0 +1,19 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +exclude_files: [".gz$"] +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..e360ae57b7f --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,19 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..cf261dfa7c4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,16 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..8565b78f99c --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,103 @@ +--- +description: Pipeline for Cisco Secure Email Gateway logs +processors: + - set: + field: ecs.version + value: "8.2.0" + - set: + field: _tmp.filepath + value: "{{{log.file.path}}}" + if: ctx?.log?.file?.path != null + - grok: + field: _tmp.filepath + if: ctx?.log?.file?.path != null + patterns: + - "^%{DATA}/%{WORD:cisco_secure_email_gateway.log.category.name}.@%{GREEDYDATA}.s" + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:_tmp.timestamp} %{DATA:cisco_secure_email_gateway.log.category.name}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^%{DATA:_tmp.timestamp} %{WORD:log.level}: %{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: log.level + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: "@timestamp" + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "pipeline_authentication" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "authentication" + - pipeline: + name: '{{ IngestPipeline "pipeline_gui_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "gui_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_anti_spam" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "antispam" + - pipeline: + name: '{{ IngestPipeline "pipeline_error_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "error_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_text_mail_logs" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "mail_logs" + - pipeline: + name: '{{ IngestPipeline "pipeline_content_scanner" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "content_scanner" + - pipeline: + name: '{{ IngestPipeline "pipeline_system" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "system" + - pipeline: + name: '{{ IngestPipeline "pipeline_bounce" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "bounces" + - pipeline: + name: '{{ IngestPipeline "pipeline_status" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "status" + - pipeline: + name: '{{ IngestPipeline "pipeline_amp" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "amp" + - pipeline: + name: '{{ IngestPipeline "pipeline_consolidated_event" }}' + if: ctx?.cisco_secure_email_gateway?.log?.category?.name == "consolidated_event" + - remove: + field: + - _tmp + ignore_missing: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: "{{{ _ingest.on_failure_message }}}" + \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml new file mode 100644 index 00000000000..2c47b645131 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_amp.yml @@ -0,0 +1,122 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^File reputation query initiating. %{GREEDYDATA:_tmp.new_message}" + - "^Response received for file reputation query from Cloud. %{GREEDYDATA:_tmp.new_message}" + - "^File Analysis complete. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256}, Submit Timestamp: %{GREEDYDATA:_tmp.submit.timestamp}, Update Timestamp: %{GREEDYDATA:_tmp.update.timestamp}, Disposition: %{DATA:cisco_secure_email_gateway.log.disposition} Score: %{NUMBER:cisco_secure_email_gateway.log.score:long}, run_id: %{NUMBER:cisco_secure_email_gateway.log.run_id} Details: %{DATA:cisco_secure_email_gateway.log.details} Spyname:\\[%{GREEDYDATA:cisco_secure_email_gateway.log.spy_name}\\]" + - "^File not uploaded for analysis. MID = %{NUMBER:email.message_id} File SHA256\\[%{GREEDYDATA:email.attachments.file.hash.sha256}\\] file mime\\[%{GREEDYDATA:email.attachments.file.mime_type}\\] Reason: %{GREEDYDATA:event.reason}" + - "^File analysis upload skipped. SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\\[%{GREEDYDATA:_tmp.submit.timestamp}\\] details\\[%{GREEDYDATA:_tmp.cisco_secure_email_gateway.log.remaining_details}]" + - "^SHA256: %{GREEDYDATA:email.attachments.file.hash.sha256},Timestamp\\[%{GREEDYDATA:_tmp.submit.timestamp}\\] details\\[%{GREEDYDATA:cisco_secure_email_gateway.log.server_error_details}\\]" + - "^Retrospective verdict received. %{GREEDYDATA:_tmp.new_message}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - kv: + field: _tmp.new_message + if: ctx._tmp.new_message != null + field_split: ", |," + value_split: " = | =|: " + - grok: + field: _tmp.cisco_secure_email_gateway.log.remaining_details + if: ctx?._tmp?.cisco_secure_email_gateway?.log?.remaining_details != null + patterns: + - "^File SHA256\\[%{GREEDYDATA:email.attachments.file.hash.sha256}\\] file mime\\[%{GREEDYDATA:email.attachments.file.mime_type}\\], upload priority\\[%{GREEDYDATA:cisco_secure_email_gateway.log.upload.priority}\\] not uploaded, re-tries\\[%{GREEDYDATA:cisco_secure_email_gateway.log.retries:long}\\], backoff\\[%{GREEDYDATA:cisco_secure_email_gateway.log.backoff:long}\\] %{GREEDYDATA:cisco_secure_email_gateway.log.details}" + - rename: + field: "Timestamp" + target_field: _tmp.submit.timestamp + ignore_missing: true + - date: + field: _tmp.submit.timestamp + target_field: cisco_secure_email_gateway.log.submit.timestamp + if: ctx?.cisco_secure_email_gateway?.log?._tmp?.submit?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - date: + field: _tmp.update.timestamp + target_field: cisco_secure_email_gateway.log.update.timestamp + if: ctx?.cisco_secure_email_gateway?.log?._tmp?.update?.timestamp != "0" + ignore_failure: true + formats: + - UNIX + - rename: + field: "File Name" + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: "MID" + target_field: email.message_id + ignore_missing: true + - gsub: + field: "File Size" + pattern: "\ bytes" + replacement: "" + ignore_failure: true + - convert: + field: "File Size" + target_field: email.attachments.file.size + type: long + ignore_missing: true + - rename: + field: "File Type" + target_field: email.content_type + ignore_missing: true + - rename: + field: "FileName" + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: "Malware" + target_field: cisco_secure_email_gateway.log.malware + ignore_missing: true + - rename: + field: "Disposition" + target_field: cisco_secure_email_gateway.log.disposition + ignore_missing: true + - rename: + field: "Reputation Score" + target_field: cisco_secure_email_gateway.log.reputation_score + ignore_missing: true + - rename: + field: "sha256" + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: "upload_action" + target_field: cisco_secure_email_gateway.log.upload.action + ignore_missing: true + - rename: + field: "Reputation Score" + target_field: cisco_secure_email_gateway.log.reputation_score + ignore_missing: true + - rename: + field: "SHA256" + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: "Spyname" + target_field: cisco_secure_email_gateway.log.spy_name + ignore_missing: true + - rename: + field: "Verdict" + target_field: cisco_secure_email_gateway.log.verdict + ignore_missing: true + - gsub: + field: email.attachments.file.name + pattern: \' + replacement: "" + ignore_failure: true + - append: + field: related.hash + value: "{{{email.attachments.file.hash.sha256}}}" + if: ctx?.email?.attachments?.file?.hash?.sha256 != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - _tmp + - "File Size" + ignore_missing: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml new file mode 100644 index 00000000000..d00bdb71a12 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_anti_spam.yml @@ -0,0 +1,12 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: all %{DATA:cisco_secure_email_gateway.log.object} killed, %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: %{DATA:cisco_secure_email_gateway.log.object} killed by %{DATA:cisco_secure_email_gateway.log.command}, %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^case %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(%{NUMBER:cisco_secure_email_gateway.log.case_id}\\) : case-daemon: %{GREEDYDATA:cisco_secure_email_gateway.log.result}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml new file mode 100644 index 00000000000..58b672d1dbc --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_authentication.yml @@ -0,0 +1,51 @@ +--- +processors: + - set: + field: event.kind + value: event + - set: + field: event.category + value: [authentication] + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^GUI: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from session %{GREEDYDATA:cisco_secure_email_gateway.log.session} because of inactivity timeout" + - "^CLI: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from %{GREEDYDATA:cisco_secure_email_gateway.log.session} because of inactivity timeout" + - "^%{WORD:cisco_secure_email_gateway.log.action}:%{IP:host.ip} user:%{USERNAME:user.name} session:%{WORD:cisco_secure_email_gateway.log.session}" + - "^User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} of %{WORD:network.protocol} session %{IP:host.ip}" + - "^An authentication attempt by the user %{USERNAME:user.name} from %{IP:host.ip} %{WORD:cisco_secure_email_gateway.log.outcome} using an %{WORD:network.protocol} connection." + - "^The user %{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.outcome} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from %{IP:host.ip} with privilege %{DATA:cisco_secure_email_gateway.log.privilege} using an %{WORD:network.protocol} connection." + - "^User %{USERNAME:user.name} was %{WORD:cisco_secure_email_gateway.log.action} %{WORD:cisco_secure_email_gateway.log.outcome}." + - "^User %{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.outcome} %{WORD:cisco_secure_email_gateway.log.action}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: network.protocol + ignore_failure: true + - set: + field: event.outcome + if: ctx?.cisco_secure_email_gateway?.log?.outcome == "failed" + value: failure + - set: + field: event.outcome + if: ctx?.cisco_secure_email_gateway?.log?.outcome == "successfully" + value: success + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.action == "logged on" || ctx?.cisco_secure_email_gateway?.log?.action == 'authenticated' + value: [start] + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' || ctx?.cisco_secure_email_gateway?.log?.action == 'logout' + value: [end] + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{host.ip}}}" + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml new file mode 100644 index 00000000000..698efbb307d --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bounce.yml @@ -0,0 +1,11 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^%{WORD:cisco_secure_email_gateway.log.bounce_type}: DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} From:<%{GREEDYDATA:email.from.address}> To:<%{GREEDYDATA:email.to.address}> RID %{NUMBER:cisco_secure_email_gateway.log.recipient_id} - %{DATA:cisco_secure_email_gateway.log.error_code} - %{GREEDYDATA:event.reason} \\(%{GREEDYDATA:cisco_secure_email_gateway.log.response}\\)" + - "^%{WORD:cisco_secure_email_gateway.log.bounce_type}: %{NUMBER:email.message_id}:%{NUMBER:cisco_secure_email_gateway.log.recipient_id} From:<%{GREEDYDATA:email.from.address}> To:<%{GREEDYDATA:email.to.address}>" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml new file mode 100644 index 00000000000..a3d4d38808c --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_consolidated_event.yml @@ -0,0 +1,110 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^CEF:%{NUMBER:cisco_secure_email_gateway.log.cef_format_version}\\|%{WORD:cisco_secure_email_gateway.log.appliance.vendor}\\|%{DATA:cisco_secure_email_gateway.log.appliance.product}\\|%{DATA:cisco_secure_email_gateway.log.appliance.version}\\|%{DATA:cisco_secure_email_gateway.log.event_class_id}\\|%{DATA:cisco_secure_email_gateway.log.event.name}\\|%{WORD:event.severity}\\|%{GREEDYDATA:_tmp.details} endTime=%{DATA:event.end} ESADLPVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dlp_verdict} dvc=%{IP:cisco_secure_email_gateway.log.data.ip} ESAAttachmentDetails=\\{%{GREEDYDATA:cisco_secure_email_gateway.log.esa.attachment_details}\\} ESAFriendlyFrom=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.friendly_from} ESAGMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.graymail_verdict} startTime=%{DATA:event.start} (deviceInboundInterface||deviceOutboundInterface)=%{WORD:cisco_secure_email_gateway.log.listener.name} deviceDirection=%{DATA:cisco_secure_email_gateway.log.device_direction} ESAMailFlowPolicy=%{WORD:cisco_secure_email_gateway.log.esa.mail_flow_policy} suser=%{DATA:email.from.address} cs1Label=%{WORD:cisco_secure_email_gateway.log.cs1_label} cs1=%{WORD:cisco_secure_email_gateway.log.cs1} ESAMFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.mf_verdict} act=%{WORD:cisco_secure_email_gateway.log.act} ESAFinalActionDetails=%{DATA:cisco_secure_email_gateway.log.esa.final_action_details} cs4Label=%{GREEDYDATA:cisco_secure_email_gateway.log.cs4_label} cs4='<%{DATA:cisco_secure_email_gateway.log.cs4}>' ESAMsgSize=%{NUMBER:cisco_secure_email_gateway.log.esa.msg_size:long} ESAOFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.outbreak_filter_verdict} duser=%{DATA:email.to.address} ESAHeloIP=%{IP:cisco_secure_email_gateway.log.esa.helo.ip} cfp1Label=%{WORD:cisco_secure_email_gateway.log.cfp1_label} cfp1=%{DATA:_tmp.cfp1} ESASDRDomainAge=%{DATA:cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age} cs3Label=%{WORD:cisco_secure_email_gateway.log.cs3_label} cs3=%{DATA:cisco_secure_email_gateway.log.cs3} cs6Label=%{DATA:cisco_secure_email_gateway.log.cs6_label} cs6=%{DATA:cisco_secure_email_gateway.log.cs6} ESASPFVerdict=%{DATA:cisco_secure_email_gateway.log.esa.spf_verdict} sourceHostName=%{DATA:source.domain} ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} sourceAddress=%{IP:source.ip} msg=%{GREEDYDATA:email.subject}" + - "^%{DATA:_tmp.timestamp} CEF:%{NUMBER:cisco_secure_email_gateway.log.cef_format_version}\\|%{WORD:cisco_secure_email_gateway.log.appliance.vendor}\\|%{DATA:cisco_secure_email_gateway.log.appliance.product}\\|%{DATA:cisco_secure_email_gateway.log.appliance.version}\\|%{DATA:cisco_secure_email_gateway.log.event_class_id}\\|%{DATA:cisco_secure_email_gateway.log.event.name}\\|%{WORD:event.severity}\\|%{GREEDYDATA:_tmp.details} endTime=%{DATA:event.end} ESADLPVerdict=%{WORD:cisco_secure_email_gateway.log.esa.dlp_verdict} dvc=%{IP:cisco_secure_email_gateway.log.data.ip} ESAAttachmentDetails=\\{%{GREEDYDATA:cisco_secure_email_gateway.log.esa.attachment_details}\\} ESAFriendlyFrom=%{GREEDYDATA:cisco_secure_email_gateway.log.esa.friendly_from} ESAGMVerdict=%{WORD:cisco_secure_email_gateway.log.esa.graymail_verdict} startTime=%{DATA:event.start} (deviceInboundInterface||deviceOutboundInterface)=%{WORD:cisco_secure_email_gateway.log.listener.name} deviceDirection=%{DATA:cisco_secure_email_gateway.log.device_direction} ESAMailFlowPolicy=%{WORD:cisco_secure_email_gateway.log.esa.mail_flow_policy} suser=%{DATA:email.from.address} cs1Label=%{WORD:cisco_secure_email_gateway.log.cs1_label} cs1=%{WORD:cisco_secure_email_gateway.log.cs1} ESAMFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.mf_verdict} act=%{WORD:cisco_secure_email_gateway.log.act} ESAFinalActionDetails=%{DATA:cisco_secure_email_gateway.log.esa.final_action_details} cs4Label=%{GREEDYDATA:cisco_secure_email_gateway.log.cs4_label} cs4='<%{DATA:cisco_secure_email_gateway.log.cs4}>' ESAMsgSize=%{NUMBER:cisco_secure_email_gateway.log.esa.msg_size:long} ESAOFVerdict=%{WORD:cisco_secure_email_gateway.log.esa.outbreak_filter_verdict} duser=%{DATA:email.to.address} ESAHeloIP=%{IP:cisco_secure_email_gateway.log.esa.helo.ip} cfp1Label=%{WORD:cisco_secure_email_gateway.log.cfp1_label} cfp1=%{DATA:_tmp.cfp1} ESASDRDomainAge=%{DATA:cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age} cs3Label=%{WORD:cisco_secure_email_gateway.log.cs3_label} cs3=%{DATA:cisco_secure_email_gateway.log.cs3} cs6Label=%{DATA:cisco_secure_email_gateway.log.cs6_label} cs6=%{DATA:cisco_secure_email_gateway.log.cs6} ESASPFVerdict=%{DATA:cisco_secure_email_gateway.log.esa.spf_verdict} sourceHostName=%{DATA:source.domain} ESASenderGroup=%{DATA:cisco_secure_email_gateway.log.esa.sender_group} sourceAddress=%{IP:source.ip} msg=%{GREEDYDATA:email.subject}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - kv: + field: _tmp.details + if: ctx?._tmp?.details != null + field_split: " | " + value_split: "=" + ignore_failure: true + ignore_missing: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.esa.helo.ip}}}" + if: ctx?.cisco_secure_email_gateway?.log?.esa?.helo?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.data.ip}}}" + if: ctx?.cisco_secure_email_gateway?.log?.data?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - set: + field: email.direction + value: inbound + if: ctx?.cisco_secure_email_gateway?.log?.listener?.name == "Incomingmail" + ignore_failure: true + - set: + field: email.direction + value: outbound + if: ctx?.cisco_secure_email_gateway?.log?.listener?.name == "Outcomingmail" + ignore_failure: true + - set: + field: cisco_secure_email_gateway.log.device_direction + value: incoming + if: ctx?.cisco_secure_email_gateway?.log?.device_direction == "0" + ignore_failure: true + - set: + field: cisco_secure_email_gateway.log.device_direction + value: outgoing + if: ctx?.cisco_secure_email_gateway?.log?.device_direction == "1" + ignore_failure: true + - rename: + field: deviceExternalId + target_field: host.id + ignore_missing: true + - rename: + field: ESAMID + target_field: email.message_id + ignore_missing: true + ignore_failure: true + - rename: + field: ESAICID + target_field: cisco_secure_email_gateway.log.esa.injection_connection_id + ignore_missing: true + - rename: + field: ESAAMPVerdict + target_field: cisco_secure_email_gateway.log.esa.amp_verdict + ignore_missing: true + - rename: + field: ESAASVerdict + target_field: cisco_secure_email_gateway.log.esa.as_verdict + ignore_missing: true + - rename: + field: ESAAVVerdict + target_field: cisco_secure_email_gateway.log.esa.av_verdict + ignore_missing: true + - rename: + field: ESACFVerdict + target_field: cisco_secure_email_gateway.log.esa.content_filter_verdict + ignore_missing: true + - gsub: + field: email.subject + pattern: \' + replacement: "" + ignore_failure: true + - convert: + field: _tmp.cfp1 + target_field: cisco_secure_email_gateway.log.cfp1 + type: double + if: ctx?._tmp?.cfp1 != 'None' + ignore_missing: true + ignore_failure: true + - date: + field: _tmp.timestamp + target_field: "@timestamp" + formats: + - E MMM dd HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + - E MMM d HH:mm:ss yyyy + ignore_failure: true + - remove: + field: + - _tmp + ignore_failure: true + ignore_missing: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml new file mode 100644 index 00000000000..fdb18793699 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_content_scanner.yml @@ -0,0 +1,11 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^PF: %{WORD:cisco_secure_email_gateway.log.vendor_action} %{WORD:cisco_secure_email_gateway.log.object} %{GREEDYDATA:cisco_secure_email_gateway.log.object_category}" + - "^PF: %{WORD:cisco_secure_email_gateway.log.vendor_action} %{GREEDYDATA:cisco_secure_email_gateway.log.object_category} \\(pid=%{NUMBER:process.pid:long}\\)" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml new file mode 100644 index 00000000000..00c83cbb842 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_error_logs.yml @@ -0,0 +1,20 @@ +--- +processors: + - set: + field: event.kind + value: event + - set: + field: event.type + value: [error] + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^Internal %{DATA:network.protocol} giving up on message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.description}: Unable to send System/Warning %{DATA:event.kind} to %{DATA:email.to.address} with subject \"%{GREEDYDATA:email.subject}\"." + - "^%{WORD:cisco_secure_email_gateway.log.alert_category}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^Internal %{DATA:network.protocol} system attempting to send a message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + ignore_failure: true + - lowercase: + field: network.protocol + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml new file mode 100644 index 00000000000..f157537a537 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_gui_logs.yml @@ -0,0 +1,70 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^req:%{DATA:client.ip:IP} user:%{DATA:user.name} id:%{DATA:event.id} %{NUMBER:http.response.status_code:long} %{WORD:http.request.method} %{DATA:url.path} HTTP/%{NUMBER:http.version} %{GREEDYDATA:user_agent.original}" + - "^Action: User %{USERNAME:user.name} %{GREEDYDATA:cisco_secure_email_gateway.log.action} from session %{GREEDYDATA:cisco_secure_email_gateway.log.session} beacuse of inactivity timeout" + - "^Session %{DATA:cisco_secure_email_gateway.log.session} user:%{USERNAME:user.name} %{WORD:cisco_secure_email_gateway.log.result}" + - "^Session %{DATA:cisco_secure_email_gateway.log.session} from %{IP:host.ip} not found Destination:%{GREEDYDATA:cisco_secure_email_gateway.log.destination}" + - "^SourceIP:%{IP:host.ip} Destination:%{GREEDYDATA:cisco_secure_email_gateway.log.destination} Username:%{USERNAME:user.name} Privilege:%{DATA:cisco_secure_email_gateway.log.privilege} session:%{DATA:cisco_secure_email_gateway.log.session} Action: %{GREEDYDATA:cisco_secure_email_gateway.log.action}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} %{IP:source.ip}:%{NUMBER:source.port:long} - \\(%{GREEDYDATA:cisco_secure_email_gateway.log.description}\\)" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} %{IP:source.ip} port %{NUMBER:source.port:long} - %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{DATA:cisco_secure_email_gateway.log.object} has been %{DATA:cisco_secure_email_gateway.log.action} for user %{USERNAME:user.name}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - user_agent: + field: user_agent.original + if: ctx?.user_agent?.original != '-' + ignore_failure: true + - set: + field: event.category + value: [web] + if: ctx?.http?.request?.method != null + - set: + field: event.type + value: [access] + if: ctx?.http?.request?.method != null + - set: + field: event.category + value: [session] + if: ctx?.cisco_secure_email_gateway?.log?.result == 'expired' || ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' + - set: + field: event.type + value: [end] + if: ctx?.cisco_secure_email_gateway?.log?.result == 'expired' || ctx?.cisco_secure_email_gateway?.log?.action == 'logged out' + - remove: + field: user.name + if: ctx?.user?.name == '-' + ignore_failure: true + - remove: + field: user_agent.original + if: ctx?.user_agent?.original == '-' + ignore_failure: true + - append: + field: related.ip + value: "{{{client.ip}}}" + if: ctx?.client?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{host.ip}}}" + if: ctx?.host?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{source.ip}}}" + if: ctx?.source?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null && ctx?.user?.name != '-' + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml new file mode 100644 index 00000000000..b460fae1cfb --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_status.yml @@ -0,0 +1,10 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^Status: CPULd %{NUMBER:cisco_secure_email_gateway.log.cpu.utilization:long} DskIO %{NUMBER:cisco_secure_email_gateway.log.disk_io:long} RAMUtil %{NUMBER:cisco_secure_email_gateway.log.ram.utilization:long} QKUsd %{NUMBER:cisco_secure_email_gateway.log.queue_kilobytes_usd:long} QKFre %{NUMBER:cisco_secure_email_gateway.log.queue_kilobytes_free:long} CrtMID %{NUMBER:email.message_id} CrtICID %{NUMBER:cisco_secure_email_gateway.log.crt.injection_connection_id} CrtDCID %{NUMBER:cisco_secure_email_gateway.log.crt.delivery_connection_id} InjMsg %{NUMBER:cisco_secure_email_gateway.log.injected.messages:long} InjRcp %{NUMBER:cisco_secure_email_gateway.log.injected.recipients:long} GenBncRcp %{NUMBER:cisco_secure_email_gateway.log.generated_bounce_recipients:long} RejRcp %{NUMBER:cisco_secure_email_gateway.log.rejected_recipients:long} DrpMsg %{NUMBER:cisco_secure_email_gateway.log.dropped_messages:long} SftBncEvnt %{NUMBER:cisco_secure_email_gateway.log.soft_bounced_events:long} CmpRcp %{NUMBER:cisco_secure_email_gateway.log.completed_recipients:long} HrdBncRcp %{NUMBER:cisco_secure_email_gateway.log.hard_bounce_recipients:long} DnsHrdBnc %{NUMBER:cisco_secure_email_gateway.log.dns.hard_bounces:long} 5XXHrdBnc %{NUMBER:cisco_secure_email_gateway.log.5xx_hard_bounces:long} FltrHrdBnc %{NUMBER:cisco_secure_email_gateway.log.filter_hard_bounces:long} ExpHrdBnc %{NUMBER:cisco_secure_email_gateway.log.expired_hard_bounces:long} OtrHrdBnc %{NUMBER:cisco_secure_email_gateway.log.other_hard_bounces:long} DlvRcp %{NUMBER:cisco_secure_email_gateway.log.delivered_recipients:long} DelRcp %{NUMBER:cisco_secure_email_gateway.log.deleted_recipients:long} GlbUnsbHt %{NUMBER:cisco_secure_email_gateway.log.global_unsubscribe_hits:long} ActvRcp %{NUMBER:cisco_secure_email_gateway.log.active_recipients:long} UnatmptRcp %{NUMBER:cisco_secure_email_gateway.log.unattempted_recipients:long} AtmptRcp %{NUMBER:cisco_secure_email_gateway.log.attempted_recipients:long} CrtCncIn %{NUMBER:cisco_secure_email_gateway.log.current.inbound_connections:long} CrtCncOut %{NUMBER:cisco_secure_email_gateway.log.current.outbound_connections:long} DnsReq %{NUMBER:cisco_secure_email_gateway.log.dns.requests:long} NetReq %{NUMBER:cisco_secure_email_gateway.log.network_requests:long} CchHit %{NUMBER:cisco_secure_email_gateway.log.cache.hits:long} CchMis %{NUMBER:cisco_secure_email_gateway.log.cache.misses:long} CchEct %{NUMBER:cisco_secure_email_gateway.log.cache.exceptions:long} CchExp %{NUMBER:cisco_secure_email_gateway.log.cache.expired:long} CPUTTm %{NUMBER:cisco_secure_email_gateway.log.cpu.total_time:long} CPUETm %{NUMBER:cisco_secure_email_gateway.log.cpu.elapsed_time:long} MaxIO %{NUMBER:cisco_secure_email_gateway.log.max_io:long} RAMUsd %{NUMBER:cisco_secure_email_gateway.log.ram.used:long} MMLen %{NUMBER:cisco_secure_email_gateway.log.messages_length:long} DstInMem %{NUMBER:cisco_secure_email_gateway.log.destination_memory:long} ResCon %{NUMBER:cisco_secure_email_gateway.log.resource_conservation:long} WorkQ %{NUMBER:cisco_secure_email_gateway.log.work_queue:long} QuarMsgs %{NUMBER:cisco_secure_email_gateway.log.quarantine.messages:long} QuarQKUsd %{NUMBER:cisco_secure_email_gateway.log.quarantine.queue_kilobytes_used:long} LogUsd %{NUMBER:cisco_secure_email_gateway.log.log_used:long} SophLd %{NUMBER:cisco_secure_email_gateway.log.sophos_ld:long} BMLd %{NUMBER:cisco_secure_email_gateway.log.bmld:long} CASELd %{NUMBER:cisco_secure_email_gateway.log.case_ld:long} TotalLd %{NUMBER:cisco_secure_email_gateway.log.total_ld:long} LogAvail %{DATA:cisco_secure_email_gateway.log.log_available} EuQ %{NUMBER:cisco_secure_email_gateway.log.estimated.quarantine:long} EuqRls %{NUMBER:cisco_secure_email_gateway.log.estimated.quarantine_release_queue:long} CmrkLd %{NUMBER:cisco_secure_email_gateway.log.cmrkld:long} McafLd %{NUMBER:cisco_secure_email_gateway.log.mcafee_ld:long} SwIn %{NUMBER:cisco_secure_email_gateway.log.swapped.in:long} SwOut %{NUMBER:cisco_secure_email_gateway.log.swapped.out:long} SwPgIn %{NUMBER:cisco_secure_email_gateway.log.swapped.page.in:long} SwPgOut %{NUMBER:cisco_secure_email_gateway.log.swapped.page.out:long} SwapUsage %{DATA:cisco_secure_email_gateway.log.swap_usage} RptLd %{NUMBER:cisco_secure_email_gateway.log.reporting_load:long} QtnLd %{NUMBER:cisco_secure_email_gateway.log.quarantine.load:long} EncrQ %{NUMBER:cisco_secure_email_gateway.log.encryption_queue:long} InjBytes %{NUMBER:cisco_secure_email_gateway.log.injected.bytes:long}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml new file mode 100644 index 00000000000..2a3a50fdb28 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_system.yml @@ -0,0 +1,20 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^PID %{NUMBER:process.pid:long}: User %{USERNAME:user.name} commit changes:%{GREEDYDATA:cisco_secure_email_gateway.log.commit_changes}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.name}: qname:%{DATA:cisco_secure_email_gateway.log.qname} ns_name:%{DATA:cisco_secure_email_gateway.log.ns_name} zone:%{DATA:cisco_secure_email_gateway.log.zone} ref_zone:%{DATA:cisco_secure_email_gateway.log.ref_zone} referrals:%{GREEDYDATA:cisco_secure_email_gateway.log.referrals}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}\\. %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject} to '%{GREEDYDATA:cisco_secure_email_gateway.log.description} ' '" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}: %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - append: + field: related.user + value: "{{{user.name}}}" + if: ctx?.user?.name != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml new file mode 100644 index 00000000000..5d350fd5f87 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/elasticsearch/ingest_pipeline/pipeline_text_mail_logs.yml @@ -0,0 +1,53 @@ +--- +processors: + - set: + field: event.kind + value: event + - grok: + field: cisco_secure_email_gateway.log.message + patterns: + - "^graymail \\[CONFIG\\] %{WORD:cisco_secure_email_gateway.log.vendor_action} %{GREEDYDATA:cisco_secure_email_gateway.log.object}" + - "^URL_REP_CLIENT: %{WORD:cisco_secure_email_gateway.log.object_attr} %{DATA:cisco_secure_email_gateway.log.type}. Triggering %{WORD:cisco_secure_email_gateway.log.vendor_action} of %{GREEDYDATA:cisco_secure_email_gateway.log.object}." + - "^MID %{NUMBER:email.message_id} %{GREEDYDATA:cisco_secure_email_gateway.log.subject}. Severity: %{WORD:cisco_secure_email_gateway.log.severity} \\(Risk Factor: %{NUMBER:cisco_secure_email_gateway.log.risk_factor:long}\\). %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^A System/Warning %{DATA:event.kind} was sent to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^%{WORD:cisco_secure_email_gateway.log.connection_status} %{WORD:network.protocol} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} interface Management \\(%{IP:cisco_secure_email_gateway.log.interface}\\) address %{IP:cisco_secure_email_gateway.log.address} reverse dns host %{DATA:dns.question.name} verified %{WORD:cisco_secure_email_gateway.log.verified}" + - "^%{WORD:cisco_secure_email_gateway.log.connection_status} MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id}" + - "^MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} From: <%{DATA:email.from.address}>" + - "^MID %{NUMBER:email.message_id} ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} RID %{DATA:cisco_secure_email_gateway.log.recipient_id} To: <%{DATA:email.to.address}>" + - "^MID %{NUMBER:email.message_id} ready %{NUMBER:cisco_secure_email_gateway.log.read_bytes:long} bytes from <%{DATA:email.from.address}>" + - "^ICID %{NUMBER:cisco_secure_email_gateway.log.injection_connection_id} %{WORD:cisco_secure_email_gateway.log.connection_status}" + - "^%{DATA:cisco_secure_email_gateway.log.message_status} %{WORD:network.protocol} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} interface %{IP:cisco_secure_email_gateway.log.interface} address %{IP:cisco_secure_email_gateway.log.address}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message_status} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} to RID \\[%{DATA:cisco_secure_email_gateway.log.recipient_id}\\]" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message_status} DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} MID %{NUMBER:email.message_id} to RID \\[%{DATA:cisco_secure_email_gateway.log.recipient_id}\\]" + - "^DCID %{NUMBER:cisco_secure_email_gateway.log.delivery_connection_id} %{WORD:cisco_secure_email_gateway.log.connection_status}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.subject}\\. %{GREEDYDATA:cisco_secure_email_gateway.log.description}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.description}: Unable to send System/Warning %{DATA:event.kind} to %{DATA:email.to.address} with subject \"%{GREEDYDATA:email.subject}\"." + - "^Internal %{DATA:network.protocol} system successfully sent a message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^Internal %{DATA:network.protocol} giving up on message to %{DATA:email.to.address} with subject %{GREEDYDATA:email.subject}." + - "^Internal %{DATA:network.protocol} Error: %{GREEDYDATA:cisco_secure_email_gateway.log.description} to host %{IP:destination.ip}:%{NUMBER:destination.port:long} for recipient %{DATA:email.to.address}: %{GREEDYDATA:cisco_secure_email_gateway.log.subject}" + - "^%{GREEDYDATA:cisco_secure_email_gateway.log.message}" + - lowercase: + field: network.protocol + ignore_failure: true + - set: + field: event.type + if: ctx?.cisco_secure_email_gateway?.log?.type == "changed" + value: change + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.interface}}}" + if: ctx?.cisco_secure_email_gateway?.log?.interface != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{cisco_secure_email_gateway.log.address}}}" + if: ctx?.cisco_secure_email_gateway?.log?.address != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: "{{{destination.ip}}}" + if: ctx?.destination?.ip != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/agent.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..6e1bac042bc --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..728f08ea5a8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_secure_email_gateway.log +- name: event.module + type: constant_keyword + description: Event module + value: cisco_secure_email_gateway +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/ecs.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..1db4c1304db --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/ecs.yml @@ -0,0 +1,82 @@ +- external: ecs + name: client.ip +- external: ecs + name: destination.ip +- external: ecs + name: destination.port +- external: ecs + name: dns.question.name +- external: ecs + name: ecs.version +- external: ecs + name: email.attachments.file.hash.sha256 +- external: ecs + name: email.attachments.file.mime_type +- external: ecs + name: email.attachments.file.name +- external: ecs + name: email.attachments.file.size +- external: ecs + name: email.content_type +- external: ecs + name: email.direction +- external: ecs + name: email.from.address +- external: ecs + name: email.message_id +- external: ecs + name: email.subject +- external: ecs + name: email.to.address +- external: ecs + name: event.id +- external: ecs + name: event.outcome +- external: ecs + name: event.reason +- external: ecs + name: http.request.method +- external: ecs + name: http.response.status_code +- external: ecs + name: http.version +- external: ecs + name: log.level +- external: ecs + name: log.syslog.priority +- external: ecs + name: network.protocol +- external: ecs + name: process.pid +- external: ecs + name: related.hash +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: source.domain +- external: ecs + name: source.ip +- external: ecs + name: source.port +- external: ecs + name: tags +- external: ecs + name: url.path +- external: ecs + name: user.name +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml new file mode 100644 index 00000000000..0b6fbd185e1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml @@ -0,0 +1,506 @@ +- name: cisco_secure_email_gateway.log + type: group + fields: + - name: 5xx_hard_bounces + type: long + description: 5XX Hard Bounces. + - name: act + type: keyword + - name: action + type: keyword + - name: active_recipients + type: long + description: Active Recipients. + - name: address + type: ip + - name: alert_category + type: keyword + - name: appliance + type: group + fields: + - name: product + type: keyword + - name: vendor + type: keyword + - name: version + type: keyword + - name: attempted_recipients + type: long + description: Attempted Recipients. + - name: backoff + type: long + description: The number of (x) seconds before the email gateway needs to wait before it makes an attempt to upload the file to the file analysis server. This occurs when the email gateway reaches the daily upload limit. + - name: bmld + type: long + - name: bounce_type + type: keyword + description: Bounced or delayed (for example, hard or soft-bounce). + - name: cache + type: group + fields: + - name: exceptions + type: long + description: Cache Exceptions. + - name: expired + type: long + description: Cache Expired. + - name: hits + type: long + description: Cache Hits. + - name: misses + type: long + description: Cache Misses. + - name: case_id + type: keyword + - name: case_ld + type: long + description: Percent CPU used by CASE scanning. + - name: category + type: group + fields: + - name: name + type: keyword + - name: cef_format_version + type: keyword + - name: cfp1 + type: double + - name: cfp1_label + type: keyword + - name: cmrkld + type: long + - name: command + type: text + - name: commit_changes + type: text + - name: completed_recipients + type: long + description: Completed Recipients. + - name: connection + type: keyword + - name: connection_status + type: keyword + - name: cpu + type: group + fields: + - name: elapsed_time + type: long + description: Elapsed time since the application started. + - name: total_time + type: long + description: Total CPU time used by the application. + - name: utilization + type: long + description: CPU Utilization. + - name: crt + type: group + fields: + - name: delivery_connection_id + type: keyword + description: Delivery Connection ID (DCID). + - name: injection_connection_id + type: keyword + description: Injection Connection ID (ICID). + - name: cs1 + type: keyword + - name: cs1_label + type: keyword + - name: cs2 + type: keyword + - name: cs2_label + type: keyword + - name: cs3 + type: keyword + - name: cs3_label + type: keyword + - name: cs4 + type: keyword + - name: cs4_label + type: keyword + - name: cs5 + type: keyword + - name: cs5_label + type: keyword + - name: cs6 + type: keyword + - name: cs6_label + type: keyword + - name: current + type: group + fields: + - name: inbound_connections + type: long + description: Current Inbound Connections. + - name: outbound_connections + type: long + description: Current Outbound Connections. + - name: data + type: group + fields: + - name: ip + type: ip + - name: deleted_recipients + type: long + description: Deleted Recipients. + - name: delivered_recipients + type: long + description: Delivered Recipients. + - name: delivery_connection_id + type: keyword + description: Delivery Connection ID. This is a numerical identifier for an individual SMTP connection to another server, for delivery of 1 to thousands of messages, each with some or all of their RIDs being delivered in a single message transmission. + - name: description + type: text + - name: destination + type: text + - name: destination_memory + type: long + description: Number of destination objects in memory. + - name: details + type: text + description: Additional information. + - name: device_direction + type: keyword + - name: disk_io + type: long + description: Disk I/O Utilization. + - name: disposition + type: keyword + description: "" + The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline. + - name: dns + type: group + fields: + - name: hard_bounces + type: long + description: DNS Hard Bounces. + - name: requests + type: long + description: DNS Requests. + - name: dropped_messages + type: long + description: Dropped Messages. + - name: encryption_queue + type: long + description: Messages in the Encryption Queue. + - name: error_code + type: keyword + - name: esa + type: group + fields: + - name: amp_verdict + type: keyword + - name: as_verdict + type: keyword + - name: attachment_details + type: text + - name: av_verdict + type: keyword + - name: content_filter_verdict + type: keyword + - name: delivery_connection_id + type: keyword + - name: dha_source + type: keyword + - name: dkim_verdict + type: keyword + - name: dlp_verdict + type: keyword + - name: dmarc_verdict + type: keyword + - name: final_action_details + type: text + - name: friendly_from + type: keyword + - name: graymail_verdict + type: keyword + - name: helo + type: group + fields: + - name: ip + type: ip + - name: injection_connection_id + type: keyword + - name: mail_auto_remediation_action + type: text + - name: mail_flow_policy + type: keyword + - name: mf_verdict + type: keyword + - name: msg_size + type: long + - name: msg_too_big_from_sender + type: boolean + - name: outbreak_filter_verdict + type: keyword + - name: rate_limited_ip + type: keyword + - name: reply_to + type: keyword + - name: sdr_consolidated_domain_age + type: text + - name: sender_group + type: keyword + - name: spf_verdict + type: keyword + - name: url_details + type: text + - name: estimated + type: group + fields: + - name: quarantine + type: long + description: Estimated number of messages in the Spam quarantine. + - name: quarantine_release_queue + type: long + description: Estimated number of messages in the Spam quarantine release queue. + - name: event + type: group + fields: + - name: name + type: keyword + - name: event_class_id + type: keyword + - name: expired_hard_bounces + type: long + description: Expired Hard Bounces. + - name: filter_hard_bounces + type: long + description: Filter Hard Bounces. + - name: generated_bounce_recipients + type: long + description: Generated Bounce Recipients. + - name: global_unsubscribe_hits + type: long + description: Global Unsubscribe Hits. + - name: hard_bounce_recipients + type: long + description: Hard Bounced Recipients. + - name: injected + type: group + fields: + - name: bytes + type: long + description: Total Injected Message Size in Bytes. + - name: messages + type: long + description: Injected Messages. + - name: recipients + type: long + description: Injected Recipients. + - name: injection_connection_id + type: keyword + description: Injection Connection ID. This is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent. + - name: interface + type: keyword + - name: listener + type: group + fields: + - name: name + type: keyword + - name: log_available + type: keyword + description: Amount of disk space available for log files. + - name: log_used + type: long + description: Percent of log partition used. + - name: malware + type: keyword + description: The name of the malware threat. + - name: max_io + type: long + description: Maximum disk I/O operations per second for the mail process. + - name: mcafee_ld + type: long + description: Percent CPU used by McAfee anti-virus scanning. + - name: message + type: text + - name: message_filters_verdict + type: keyword + - name: messages_length + type: long + description: Total number of messages in the system. + - name: message_status + type: keyword + - name: name + type: keyword + - name: ns_name + type: keyword + - name: network_requests + type: long + description: Network Requests. + - name: object + type: keyword + - name: object_attr + type: keyword + - name: object_category + type: keyword + - name: other_hard_bounces + type: long + description: Other Hard Bounces. + - name: outcome + type: keyword + - name: privilege + type: keyword + - name: qname + type: keyword + - name: quarantine + type: group + fields: + - name: load + type: long + description: CPU load during the Quarantine process. + - name: messages + type: long + description: Number of individual messages in policy, virus, or outbreak quarantine (messages present in multiple quarantines are counted only once). + - name: queue_kilobytes_used + type: long + description: KBytes used by policy, virus, and outbreak quarantine messages. + - name: queue_kilobytes_free + type: long + description: Queue Kilobytes Free. + - name: queue_kilobytes_usd + type: long + description: Queue Kilobytes Used. + - name: ram + type: group + fields: + - name: used + type: long + description: Allocated memory in bytes. + - name: utilization + type: long + description: RAM Utilization. + - name: read_bytes + type: long + - name: recepients + type: keyword + - name: ref_zone + type: keyword + - name: referrals + type: text + - name: rejected_recipients + type: long + description: Rejected Recipients. + - name: reporting_load + type: long + description: CPU load during the Reporting process. + - name: reputation_score + type: keyword + description: The reputation score assigned to the file by the file reputation server. + - name: resource_conservation + type: long + description: Resource conservation tarpit value. Acceptance of incoming mail is delayed by this number of seconds due to heavy system load. + - name: response + type: text + description: SMTP response code and message from recipient host. + - name: result + type: text + - name: recipient_id + type: keyword + description: Recipient ID. + - name: retries + type: long + description: The number of upload attempts performed on a given file. + - name: risk_factor + type: long + - name: run_id + type: keyword + description: The numeric value (ID) assigned to the file by the file analysis server for a particular file analysis. + - name: score + type: long + description: The analysis score assigned to the file by the file analysis server. + - name: server_error_details + type: text + - name: session + type: keyword + - name: severity + type: keyword + - name: soft_bounced_events + type: long + description: Soft Bounced Events. + - name: sophos_ld + type: long + description: Percent CPU used by Sophos anti-virus scanning. + - name: spy_name + type: keyword + description: The name of the threat, if a malware is found in the file during file analysis. + - name: start_time + type: keyword + - name: subject + type: text + - name: submit + type: group + fields: + - name: timestamp + type: date + description: The date and time at which the file is uploaded to the file analysis server by the email gateway. + - name: swap_usage + type: keyword + - name: swapped + type: group + fields: + - name: in + type: long + description: Memory swapped in. + - name: out + type: long + description: Memory swapped out. + - name: page + type: group + fields: + - name: in + type: long + description: Memory paged in. + - name: out + type: long + description: Memory paged out. + - name: total_ld + type: long + description: Total CPU consumption. + - name: type + type: keyword + - name: unattempted_recipients + type: long + description: Unattempted Recipients. + - name: update + type: group + fields: + - name: timestamp + type: date + description: The date and time at which the file analysis for the file is complete. + - name: upload + type: group + fields: + - name: action + type: keyword + description: > + The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload. + + - name: priority + type: keyword + description: "" + Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types. + - name: verified + type: keyword + - name: vendor_action + type: keyword + - name: verdict + type: keyword + description: The file retrospective verdict value is malicious or clean. + - name: work_queue + type: long + description: This is the number of messages currently in the work queue. + - name: zone + type: keyword +- name: filepath + type: keyword +- name: log.file.path + type: keyword + description: File path from which the log event was read / sent from. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. +- name: type + type: keyword + description: Input type. +- name: input.type + type: keyword diff --git a/packages/cisco_secure_email_gateway/data_stream/log/manifest.yml b/packages/cisco_secure_email_gateway/data_stream/log/manifest.yml new file mode 100644 index 00000000000..7f0496ae7e0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/manifest.yml @@ -0,0 +1,160 @@ +title: Cisco Secure Email Gateway logs +type: logs +streams: + - input: tcp + template_path: tcp.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via TCP input. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 514 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + template_path: udp.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via UDP input. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 514 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile + template_path: stream.yml.hbs + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs via logfile. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_secure_email_gateway-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json b/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json new file mode 100644 index 00000000000..b5de2a8143c --- /dev/null +++ b/packages/cisco_secure_email_gateway/data_stream/log/sample_event.json @@ -0,0 +1,64 @@ +{ + "@timestamp": "2022-03-17T18:24:37.000Z", + "agent": { + "ephemeral_id": "76b54e2f-6051-4831-a042-28f1eabce453", + "hostname": "docker-fleet-agent", + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + } + }, + "data_stream": { + "dataset": "cisco_secure_email_gateway.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": { + "file": { + "name": "mod-6.exe", + "size": 1673216 + } + }, + "content_type": "application/x-dosexec", + "message_id": "5" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_secure_email_gateway.log", + "ingested": "2022-04-27T07:21:12Z", + "kind": "event" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "info", + "source": { + "address": "172.19.0.1:52733" + }, + "syslog": { + "priority": 166 + } + }, + "tags": [ + "forwarded", + "cisco_secure_email_gateway-log" + ] +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/docs/README.md b/packages/cisco_secure_email_gateway/docs/README.md new file mode 100644 index 00000000000..31559fa4eec --- /dev/null +++ b/packages/cisco_secure_email_gateway/docs/README.md @@ -0,0 +1,531 @@ +# Cisco Secure Email Gateway + +The [Cisco Email Security Appliance](https://www.cisco.com/c/en/us/products/security/email-security/index.html) integration collects and parses data from Cisco Secure Email Gateway using TCP/UDP and logfile. + +## Compatibility + +This module has been tested against **Cisco Secure Email Gateway server version 14.0.0 Virtual Gateway C100V with the below given logs pattern**. + +## Configurations + +- Sign-in to Cisco Secure Email Gateway Portal and follow the below steps for configurations: + 1. In Cisco Secure Email Gateway Administrator Portal, go to **System Administration** > **Log Subscriptions**. + 2. Click **Add Log Subscription**. + 3. Enter all the **Required Details**. + 4. Set **Log Name** as below for the respective category: + - AMP Engine Logs -> amp + - Anti-Spam Logs -> antispam + - Authentication Logs -> authentication + - Bounce Logs -> bounces + - Consolidated Event Logs -> consolidated_event + - Content Scanner Logs -> content_scanner + - HTTP Logs -> gui_logs + - IronPort Text Mail Logs -> error_logs + - Text Mail Logs -> mail_logs + - Status Logs -> status + - System Logs -> system + 5. Select **Log Level** as Information. + 6. Select **Retrieval Method**. + 7. Click **Submit** and commit the Changes. + +## Note + +- **Retrieval Method** Supported: + - **FTP Push to Remote Server** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Authentication Logs, Bounce Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + - **Syslog Push** for the below categories: + AMP Engine Logs, Anti-Spam Logs, Anti-Spam Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs, System Logs + +## [Sample Logs](https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_14-0/b_ESA_Admin_Guide_ces_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html) +Below are the samples logs of respective category: + +## AMP Engine Logs: +``` +File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec + +Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2 + +File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG] + +File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists + +File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...] + +SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]] + +Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX. +``` +## Anti-Spam Logs +``` +case antispam - engine (72324) : case-daemon: Initializing Child + +case antispam - engine (15703) : case-daemon: all children killed, exitting + +case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down +``` +## Authentication Logs +``` +The user admin successfully logged on from 1.128.3.4 with privilege admin using an HTTPS connection. + +CLI: User admin logged out from 1.128.3.4 because of inactivity timeout + +GUI: User admin logged out from session d0PfzQa02E8NwMiah2jx because of inactivity timeout + +logout:1.128.3.4 user:admin session:wKV0AK29Ggdhztfl4Sal + +User admin logged out of SSH session 1.128.3.4 + +An authentication attempt by the user admin from 1.128.3.4 failed using an HTTPS connection. + +User admin was authenticated successfully. + +User joe failed authentication. +``` +## Bounce Logs +``` +Bounced: DCID 2 MID 15232 From: To: RID 0 - 5.1.0 - Unknown address error ('550', ['5.1.1 The email account that you tried to reach does not exist. Please try', "5.1.1 double-checking the recipient's email address for typos or", '5.1.1 unnecessary spaces. Learn more at', '5.1.1 xxxxx ay44si12078156oib.94 - gsmtp']) + +Bounced: 123:123 From: To: +``` +## Consolidated Event Logs +``` +CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing' +``` +## Content Scanner Logs +``` +PF: Starting multi-threaded Perceptive server (pid=17729) + +PF: Restarting content_scanner service. +``` +## IronPort Text Mail Logs +``` +Quarantine: Failed to connect to quarantine + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Internal SMTP system attempting to send a message to example.com with subject 'Critical example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0). +``` +## HTTP Logs +``` +req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 + +req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 - + +Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout + +Session fRK3TSjzhHhoI9CV5Kvt user:admin expired + +Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies + +SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully. + +PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time... + +Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt' + +SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown') + +Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer + +Passphrase has been changed for user admin +``` +## Text Mail Logs +``` +MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'. + +graymail [CONFIG] Starting graymail configuration handler + +URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service. + +A System/Warning alert was sent to example.com with subject "Warning cisco.esa: URL category definitions have changed.; Added new category '...". + +New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host example.com verified yes + +Start MID 6 ICID 5 + +MID 6 ICID 5 From: + +MID 6 ICID 5 RID 0 To: + +MID 6 ready 100 bytes from + +ICID 5 close + +New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4 + +Delivery start DCID 8 MID 6 to RID [0] + +Message done DCID 8 MID 6 to RID [0] + +DCID 8 close + +URL category definitions have changed. Please check and update your filters to use the new definitions + +Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...". + +Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative. + +Internal SMTP system successfully sent a message to example.com with subject 'Warning cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'. + +Internal SMTP giving up on message to example.com with subject 'Warning example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error. + +Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address does not exist']. +``` +## Status Logs +``` +Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0 +``` +## System Logs +``` +PID 1237: User admin commit changes: Added a second CLI log for examples + +lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')] + +Failed to bootstrap the DNS resolver. Unable to contact root servers. + +DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' ' + +Received an invalid DNS Response: '' to IP dummy_ip looking up example.de +``` + +## Logs + +### log + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2022-03-17T18:24:37.000Z", + "agent": { + "ephemeral_id": "76b54e2f-6051-4831-a042-28f1eabce453", + "hostname": "docker-fleet-agent", + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "cisco_secure_email_gateway": { + "log": { + "category": { + "name": "amp" + }, + "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec" + } + }, + "data_stream": { + "dataset": "cisco_secure_email_gateway.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "4ab79874-377f-4d22-87e0-fc0522d5a90a", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": { + "file": { + "name": "mod-6.exe", + "size": 1673216 + } + }, + "content_type": "application/x-dosexec", + "message_id": "5" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_secure_email_gateway.log", + "ingested": "2022-04-27T07:21:12Z", + "kind": "event" + }, + "input": { + "type": "udp" + }, + "log": { + "level": "info", + "source": { + "address": "172.19.0.1:52733" + }, + "syslog": { + "priority": 166 + } + }, + "tags": [ + "forwarded", + "cisco_secure_email_gateway-log" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_secure_email_gateway.log.5xx_hard_bounces | 5XX Hard Bounces. | long | +| cisco_secure_email_gateway.log.act | | keyword | +| cisco_secure_email_gateway.log.action | | keyword | +| cisco_secure_email_gateway.log.active_recipients | Active Recipients. | long | +| cisco_secure_email_gateway.log.address | | ip | +| cisco_secure_email_gateway.log.alert_category | | keyword | +| cisco_secure_email_gateway.log.appliance.product | | keyword | +| cisco_secure_email_gateway.log.appliance.vendor | | keyword | +| cisco_secure_email_gateway.log.appliance.version | | keyword | +| cisco_secure_email_gateway.log.attempted_recipients | Attempted Recipients. | long | +| cisco_secure_email_gateway.log.backoff | The number of (x) seconds before the email gateway needs to wait before it makes an attempt to upload the file to the file analysis server. This occurs when the email gateway reaches the daily upload limit. | long | +| cisco_secure_email_gateway.log.bmld | | long | +| cisco_secure_email_gateway.log.bounce_type | Bounced or delayed (for example, hard or soft-bounce). | keyword | +| cisco_secure_email_gateway.log.cache.exceptions | Cache Exceptions. | long | +| cisco_secure_email_gateway.log.cache.expired | Cache Expired. | long | +| cisco_secure_email_gateway.log.cache.hits | Cache Hits. | long | +| cisco_secure_email_gateway.log.cache.misses | Cache Misses. | long | +| cisco_secure_email_gateway.log.case_id | | keyword | +| cisco_secure_email_gateway.log.case_ld | Percent CPU used by CASE scanning. | long | +| cisco_secure_email_gateway.log.category.name | | keyword | +| cisco_secure_email_gateway.log.cef_format_version | | keyword | +| cisco_secure_email_gateway.log.cfp1 | | double | +| cisco_secure_email_gateway.log.cfp1_label | | keyword | +| cisco_secure_email_gateway.log.cmrkld | | long | +| cisco_secure_email_gateway.log.command | | text | +| cisco_secure_email_gateway.log.commit_changes | | text | +| cisco_secure_email_gateway.log.completed_recipients | Completed Recipients. | long | +| cisco_secure_email_gateway.log.connection | | keyword | +| cisco_secure_email_gateway.log.connection_status | | keyword | +| cisco_secure_email_gateway.log.cpu.elapsed_time | Elapsed time since the application started. | long | +| cisco_secure_email_gateway.log.cpu.total_time | Total CPU time used by the application. | long | +| cisco_secure_email_gateway.log.cpu.utilization | CPU Utilization. | long | +| cisco_secure_email_gateway.log.crt.delivery_connection_id | Delivery Connection ID (DCID). | keyword | +| cisco_secure_email_gateway.log.crt.injection_connection_id | Injection Connection ID (ICID). | keyword | +| cisco_secure_email_gateway.log.cs1 | | keyword | +| cisco_secure_email_gateway.log.cs1_label | | keyword | +| cisco_secure_email_gateway.log.cs2 | | keyword | +| cisco_secure_email_gateway.log.cs2_label | | keyword | +| cisco_secure_email_gateway.log.cs3 | | keyword | +| cisco_secure_email_gateway.log.cs3_label | | keyword | +| cisco_secure_email_gateway.log.cs4 | | keyword | +| cisco_secure_email_gateway.log.cs4_label | | keyword | +| cisco_secure_email_gateway.log.cs5 | | keyword | +| cisco_secure_email_gateway.log.cs5_label | | keyword | +| cisco_secure_email_gateway.log.cs6 | | keyword | +| cisco_secure_email_gateway.log.cs6_label | | keyword | +| cisco_secure_email_gateway.log.current.inbound_connections | Current Inbound Connections. | long | +| cisco_secure_email_gateway.log.current.outbound_connections | Current Outbound Connections. | long | +| cisco_secure_email_gateway.log.data.ip | | ip | +| cisco_secure_email_gateway.log.deleted_recipients | Deleted Recipients. | long | +| cisco_secure_email_gateway.log.delivered_recipients | Delivered Recipients. | long | +| cisco_secure_email_gateway.log.delivery_connection_id | Delivery Connection ID. This is a numerical identifier for an individual SMTP connection to another server, for delivery of 1 to thousands of messages, each with some or all of their RIDs being delivered in a single message transmission. | keyword | +| cisco_secure_email_gateway.log.description | | text | +| cisco_secure_email_gateway.log.destination | | text | +| cisco_secure_email_gateway.log.destination_memory | Number of destination objects in memory. | long | +| cisco_secure_email_gateway.log.details | Additional information. | text | +| cisco_secure_email_gateway.log.device_direction | | keyword | +| cisco_secure_email_gateway.log.disk_io | Disk I/O Utilization. | long | +| cisco_secure_email_gateway.log.disposition | | keyword | +| cisco_secure_email_gateway.log.dns.hard_bounces | DNS Hard Bounces. | long | +| cisco_secure_email_gateway.log.dns.requests | DNS Requests. | long | +| cisco_secure_email_gateway.log.dropped_messages | Dropped Messages. | long | +| cisco_secure_email_gateway.log.encryption_queue | Messages in the Encryption Queue. | long | +| cisco_secure_email_gateway.log.error_code | | keyword | +| cisco_secure_email_gateway.log.esa.amp_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.as_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.attachment_details | | text | +| cisco_secure_email_gateway.log.esa.av_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.content_filter_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.delivery_connection_id | | keyword | +| cisco_secure_email_gateway.log.esa.dha_source | | keyword | +| cisco_secure_email_gateway.log.esa.dkim_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.dlp_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.dmarc_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.final_action_details | | text | +| cisco_secure_email_gateway.log.esa.friendly_from | | keyword | +| cisco_secure_email_gateway.log.esa.graymail_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.helo.ip | | ip | +| cisco_secure_email_gateway.log.esa.injection_connection_id | | keyword | +| cisco_secure_email_gateway.log.esa.mail_auto_remediation_action | | text | +| cisco_secure_email_gateway.log.esa.mail_flow_policy | | keyword | +| cisco_secure_email_gateway.log.esa.mf_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.msg_size | | long | +| cisco_secure_email_gateway.log.esa.msg_too_big_from_sender | | boolean | +| cisco_secure_email_gateway.log.esa.outbreak_filter_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.rate_limited_ip | | keyword | +| cisco_secure_email_gateway.log.esa.reply_to | | keyword | +| cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age | | text | +| cisco_secure_email_gateway.log.esa.sender_group | | keyword | +| cisco_secure_email_gateway.log.esa.spf_verdict | | keyword | +| cisco_secure_email_gateway.log.esa.url_details | | text | +| cisco_secure_email_gateway.log.estimated.quarantine | Estimated number of messages in the Spam quarantine. | long | +| cisco_secure_email_gateway.log.estimated.quarantine_release_queue | Estimated number of messages in the Spam quarantine release queue. | long | +| cisco_secure_email_gateway.log.event.name | | keyword | +| cisco_secure_email_gateway.log.event_class_id | | keyword | +| cisco_secure_email_gateway.log.expired_hard_bounces | Expired Hard Bounces. | long | +| cisco_secure_email_gateway.log.filter_hard_bounces | Filter Hard Bounces. | long | +| cisco_secure_email_gateway.log.generated_bounce_recipients | Generated Bounce Recipients. | long | +| cisco_secure_email_gateway.log.global_unsubscribe_hits | Global Unsubscribe Hits. | long | +| cisco_secure_email_gateway.log.hard_bounce_recipients | Hard Bounced Recipients. | long | +| cisco_secure_email_gateway.log.injected.bytes | Total Injected Message Size in Bytes. | long | +| cisco_secure_email_gateway.log.injected.messages | Injected Messages. | long | +| cisco_secure_email_gateway.log.injected.recipients | Injected Recipients. | long | +| cisco_secure_email_gateway.log.injection_connection_id | Injection Connection ID. This is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent. | keyword | +| cisco_secure_email_gateway.log.interface | | keyword | +| cisco_secure_email_gateway.log.listener.name | | keyword | +| cisco_secure_email_gateway.log.log_available | Amount of disk space available for log files. | keyword | +| cisco_secure_email_gateway.log.log_used | Percent of log partition used. | long | +| cisco_secure_email_gateway.log.malware | The name of the malware threat. | keyword | +| cisco_secure_email_gateway.log.max_io | Maximum disk I/O operations per second for the mail process. | long | +| cisco_secure_email_gateway.log.mcafee_ld | Percent CPU used by McAfee anti-virus scanning. | long | +| cisco_secure_email_gateway.log.message | | text | +| cisco_secure_email_gateway.log.message_filters_verdict | | keyword | +| cisco_secure_email_gateway.log.message_status | | keyword | +| cisco_secure_email_gateway.log.messages_length | Total number of messages in the system. | long | +| cisco_secure_email_gateway.log.name | | keyword | +| cisco_secure_email_gateway.log.network_requests | Network Requests. | long | +| cisco_secure_email_gateway.log.ns_name | | keyword | +| cisco_secure_email_gateway.log.object | | keyword | +| cisco_secure_email_gateway.log.object_attr | | keyword | +| cisco_secure_email_gateway.log.object_category | | keyword | +| cisco_secure_email_gateway.log.other_hard_bounces | Other Hard Bounces. | long | +| cisco_secure_email_gateway.log.outcome | | keyword | +| cisco_secure_email_gateway.log.privilege | | keyword | +| cisco_secure_email_gateway.log.qname | | keyword | +| cisco_secure_email_gateway.log.quarantine.load | CPU load during the Quarantine process. | long | +| cisco_secure_email_gateway.log.quarantine.messages | Number of individual messages in policy, virus, or outbreak quarantine (messages present in multiple quarantines are counted only once). | long | +| cisco_secure_email_gateway.log.quarantine.queue_kilobytes_used | KBytes used by policy, virus, and outbreak quarantine messages. | long | +| cisco_secure_email_gateway.log.queue_kilobytes_free | Queue Kilobytes Free. | long | +| cisco_secure_email_gateway.log.queue_kilobytes_usd | Queue Kilobytes Used. | long | +| cisco_secure_email_gateway.log.ram.used | Allocated memory in bytes. | long | +| cisco_secure_email_gateway.log.ram.utilization | RAM Utilization. | long | +| cisco_secure_email_gateway.log.read_bytes | | long | +| cisco_secure_email_gateway.log.recepients | | keyword | +| cisco_secure_email_gateway.log.recipient_id | Recipient ID. | keyword | +| cisco_secure_email_gateway.log.ref_zone | | keyword | +| cisco_secure_email_gateway.log.referrals | | text | +| cisco_secure_email_gateway.log.rejected_recipients | Rejected Recipients. | long | +| cisco_secure_email_gateway.log.reporting_load | CPU load during the Reporting process. | long | +| cisco_secure_email_gateway.log.reputation_score | The reputation score assigned to the file by the file reputation server. | keyword | +| cisco_secure_email_gateway.log.resource_conservation | Resource conservation tarpit value. Acceptance of incoming mail is delayed by this number of seconds due to heavy system load. | long | +| cisco_secure_email_gateway.log.response | SMTP response code and message from recipient host. | text | +| cisco_secure_email_gateway.log.result | | text | +| cisco_secure_email_gateway.log.retries | The number of upload attempts performed on a given file. | long | +| cisco_secure_email_gateway.log.risk_factor | | long | +| cisco_secure_email_gateway.log.run_id | The numeric value (ID) assigned to the file by the file analysis server for a particular file analysis. | keyword | +| cisco_secure_email_gateway.log.score | The analysis score assigned to the file by the file analysis server. | long | +| cisco_secure_email_gateway.log.server_error_details | | text | +| cisco_secure_email_gateway.log.session | | keyword | +| cisco_secure_email_gateway.log.severity | | keyword | +| cisco_secure_email_gateway.log.soft_bounced_events | Soft Bounced Events. | long | +| cisco_secure_email_gateway.log.sophos_ld | Percent CPU used by Sophos anti-virus scanning. | long | +| cisco_secure_email_gateway.log.spy_name | The name of the threat, if a malware is found in the file during file analysis. | keyword | +| cisco_secure_email_gateway.log.start_time | | keyword | +| cisco_secure_email_gateway.log.subject | | text | +| cisco_secure_email_gateway.log.submit.timestamp | The date and time at which the file is uploaded to the file analysis server by the email gateway. | date | +| cisco_secure_email_gateway.log.swap_usage | | keyword | +| cisco_secure_email_gateway.log.swapped.in | Memory swapped in. | long | +| cisco_secure_email_gateway.log.swapped.out | Memory swapped out. | long | +| cisco_secure_email_gateway.log.swapped.page.in | Memory paged in. | long | +| cisco_secure_email_gateway.log.swapped.page.out | Memory paged out. | long | +| cisco_secure_email_gateway.log.total_ld | Total CPU consumption. | long | +| cisco_secure_email_gateway.log.type | | keyword | +| cisco_secure_email_gateway.log.unattempted_recipients | Unattempted Recipients. | long | +| cisco_secure_email_gateway.log.update.timestamp | The date and time at which the file analysis for the file is complete. | date | +| cisco_secure_email_gateway.log.upload.action | The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload. | keyword | +| cisco_secure_email_gateway.log.upload.priority | | keyword | +| cisco_secure_email_gateway.log.vendor_action | | keyword | +| cisco_secure_email_gateway.log.verdict | The file retrospective verdict value is malicious or clean. | keyword | +| cisco_secure_email_gateway.log.verified | | keyword | +| cisco_secure_email_gateway.log.work_queue | This is the number of messages currently in the work queue. | long | +| cisco_secure_email_gateway.log.zone | | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| destination.port | Port of the destination. | long | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.attachments.file.size | Attachment file size in bytes. | long | +| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | +| email.direction | The direction of the message based on the sending and receiving domains. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| filepath | | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| input.type | | keyword | +| log.file.path | File path from which the log event was read / sent from. | keyword | +| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| process.pid | Process id. | long | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.port | Port of the source. | long | +| tags | List of keywords used to tag each event. | keyword | +| type | Input type. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | diff --git a/packages/cisco_secure_email_gateway/img/cisco-logo.svg b/packages/cisco_secure_email_gateway/img/cisco-logo.svg new file mode 100644 index 00000000000..43f57cb7fee --- /dev/null +++ b/packages/cisco_secure_email_gateway/img/cisco-logo.svg @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + diff --git a/packages/cisco_secure_email_gateway/img/cisco-secure-email-gateway-screenshot.png b/packages/cisco_secure_email_gateway/img/cisco-secure-email-gateway-screenshot.png new file mode 100644 index 00000000000..35e15bd5e83 Binary files /dev/null and b/packages/cisco_secure_email_gateway/img/cisco-secure-email-gateway-screenshot.png differ diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..2700ac411ab --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,244 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "status" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "status" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "95a6ae87-13d5-4ada-bd77-bec597a81714", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "95a6ae87-13d5-4ada-bd77-bec597a81714", + "panelRefName": "panel_0", + "title": "CPU Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 14, + "i": "fac9251f-8b75-46fa-94ff-2a004fd15099", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "fac9251f-8b75-46fa-94ff-2a004fd15099", + "panelRefName": "panel_1", + "title": "Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "de2943f1-1708-4fd3-bb0d-99903395cc32", + "w": 24, + "x": 0, + "y": 14 + }, + "panelIndex": "de2943f1-1708-4fd3-bb0d-99903395cc32", + "panelRefName": "panel_2", + "title": "RAM Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "3ff28fc7-0158-4901-baf2-797e2686c180", + "w": 24, + "x": 24, + "y": 14 + }, + "panelIndex": "3ff28fc7-0158-4901-baf2-797e2686c180", + "panelRefName": "panel_3", + "title": "Sophos Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "01d7f54a-0bfd-444a-99ca-ea799c11d342", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "01d7f54a-0bfd-444a-99ca-ea799c11d342", + "panelRefName": "panel_4", + "title": "McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cc5ddff9-fb90-4f24-a98c-3a2b3957f8c6", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "cc5ddff9-fb90-4f24-a98c-3a2b3957f8c6", + "panelRefName": "panel_5", + "title": "CASE Scanning Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0ef7de46-c487-40c7-856a-3bbd89bbcf7b", + "w": 24, + "x": 0, + "y": 44 + }, + "panelIndex": "0ef7de46-c487-40c7-856a-3bbd89bbcf7b", + "panelRefName": "panel_6", + "title": "Reporting Process Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7ce2069e-5789-451a-8980-5c1efa0ea8b9", + "w": 24, + "x": 24, + "y": 44 + }, + "panelIndex": "7ce2069e-5789-451a-8980-5c1efa0ea8b9", + "panelRefName": "panel_7", + "title": "Quarantine Process Over Time [Logs Cisco Secure Email Gateway]", + "type": "visualization", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Status", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-3e3a4de0-b00b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..349f2f21e36 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,266 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "amp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "amp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc": { + "columnOrder": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285", + "40ee8622-c392-4ec5-bc21-d912f381c282" + ], + "columns": { + "40ee8622-c392-4ec5-bc21-d912f381c282": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "40ee8622-c392-4ec5-bc21-d912f381c282", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.content_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285" + ], + "layerId": "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc", + "layerType": "data", + "legendDisplay": "default", + "metric": "40ee8622-c392-4ec5-bc21-d912f381c282", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "9dee5b6f-f892-4227-9472-22fb7d514271", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "9dee5b6f-f892-4227-9472-22fb7d514271", + "panelRefName": "panel_0", + "title": "Distribution of AMP Engine Events by File Type [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "dc47e71b-52ce-41ad-bbba-60c0b7205f20", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "dc47e71b-52ce-41ad-bbba-60c0b7205f20", + "panelRefName": "panel_1", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 13, + "i": "ca17fa14-0065-4dc5-87e2-3166254da30a", + "w": 24, + "x": 0, + "y": 13 + }, + "panelIndex": "ca17fa14-0065-4dc5-87e2-3166254da30a", + "panelRefName": "panel_2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "5878a629-052a-4cb5-95bf-8e0fc6ec5ec1", + "w": 24, + "x": 24, + "y": 13 + }, + "panelIndex": "5878a629-052a-4cb5-95bf-8e0fc6ec5ec1", + "panelRefName": "panel_3", + "title": "Distribution of AMP Engine Events by File MIME Type [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "38a471f6-9731-4071-9d91-b3ec1564349b", + "w": 24, + "x": 0, + "y": 26 + }, + "panelIndex": "38a471f6-9731-4071-9d91-b3ec1564349b", + "panelRefName": "panel_4", + "title": "Distribution of AMP Engine Events by Upload Action [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "aa7dfa01-c596-466e-8296-1608d666cd1e", + "w": 24, + "x": 24, + "y": 26 + }, + "panelIndex": "aa7dfa01-c596-466e-8296-1608d666cd1e", + "panelRefName": "panel_5", + "title": "Distribution of AMP Engine Events by Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] AMP Engine", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6a11cbc0-b513-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..d8cbc7b2ad3 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7cc45c02-44e8-438c-aa38-a007d252b940", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "7cc45c02-44e8-438c-aa38-a007d252b940", + "panelRefName": "panel_0", + "title": "Distribution of Anti-Spam Events by Object [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f8fe013f-8aa5-4f0e-84ff-45ec811766a3", + "w": 25, + "x": 23, + "y": 0 + }, + "panelIndex": "f8fe013f-8aa5-4f0e-84ff-45ec811766a3", + "panelRefName": "panel_1", + "title": "Distribution of Anti-Spam Events by Object Category [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d14a4980-fa97-483e-ad10-ad6ff134dd23", + "w": 23, + "x": 0, + "y": 15 + }, + "panelIndex": "d14a4980-fa97-483e-ad10-ad6ff134dd23", + "panelRefName": "panel_2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1db1d475-764a-431d-abb5-9ab291f69e33", + "w": 25, + "x": 23, + "y": 15 + }, + "panelIndex": "1db1d475-764a-431d-abb5-9ab291f69e33", + "panelRefName": "panel_3", + "title": "Distribution of Authentication Events by Outcome [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Anti-Spam and Authentication", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-97ab0d40-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54", + "name": "panel_3", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..cf7577704f1 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,196 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "gui_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "gui_logs" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "1dd36832-31f8-43d2-a00c-49d24108eaa4", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "1dd36832-31f8-43d2-a00c-49d24108eaa4", + "panelRefName": "panel_0", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "17df4ae4-3f35-46d2-9516-26dfdfe5f3b5", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "17df4ae4-3f35-46d2-9516-26dfdfe5f3b5", + "panelRefName": "panel_1", + "title": "Distribution of GUI Events by Request [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ac4a3508-065d-4610-8358-684e5d9e82c2", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "ac4a3508-065d-4610-8358-684e5d9e82c2", + "panelRefName": "panel_2", + "title": "Distribution of GUI Events by Response Status Code [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e028cf94-3b68-4e0e-bff8-3e2d32e049fe", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "e028cf94-3b68-4e0e-bff8-3e2d32e049fe", + "panelRefName": "panel_3", + "title": "Distribution of GUI Events by User Agent [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b6700711-d823-4afa-9ce0-b119917ed1b8", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "b6700711-d823-4afa-9ce0-b119917ed1b8", + "panelRefName": "panel_4", + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "79ad4619-4274-4344-925b-281f6c35df63", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "79ad4619-4274-4344-925b-281f6c35df63", + "panelRefName": "panel_5", + "title": "Distribution of GUI Events by OS, OS Version [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] GUI", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-a1060e90-b025-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..61c2aa811be --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54.json @@ -0,0 +1,147 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "945d4b9c-86fa-42cd-b512-1a1bd70b6d97", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "945d4b9c-86fa-42cd-b512-1a1bd70b6d97", + "panelRefName": "panel_0", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "103fbc3c-7c0e-48cd-bd68-b67a615aad7b", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "103fbc3c-7c0e-48cd-bd68-b67a615aad7b", + "panelRefName": "panel_1", + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "f4b68a6e-421b-42b1-866c-100f504735d4", + "w": 16, + "x": 0, + "y": 15 + }, + "panelIndex": "f4b68a6e-421b-42b1-866c-100f504735d4", + "panelRefName": "panel_2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "8d6507ea-1c20-4fcc-bbb9-daadecd72f46", + "w": 15, + "x": 16, + "y": 15 + }, + "panelIndex": "8d6507ea-1c20-4fcc-bbb9-daadecd72f46", + "panelRefName": "panel_3", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "ca178e69-d36c-47fe-bea1-3f4aeb07c33e", + "w": 17, + "x": 31, + "y": 15 + }, + "panelIndex": "ca178e69-d36c-47fe-bea1-3f4aeb07c33e", + "panelRefName": "panel_4", + "title": "Distribution of Error Events by Alert Category [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Error, Content Scanner and System", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-b9591cf0-b640-11ec-b665-f79f0daaad54", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..bef665766b9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,332 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "consolidated_event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "consolidated_event" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "b11261c4-5064-4f70-9297-35e354c35e59", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "b11261c4-5064-4f70-9297-35e354c35e59", + "panelRefName": "panel_0", + "title": "Distribution of Consolidated Events by Listener Name [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "eaaaa9e9-fc9b-448c-88a6-9404e44b45ad", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "eaaaa9e9-fc9b-448c-88a6-9404e44b45ad", + "panelRefName": "panel_1", + "title": "Distribution of Consolidated Events by Outbreak Filters Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "14f54d7b-75bc-44eb-a15f-c79876f5edb4", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "14f54d7b-75bc-44eb-a15f-c79876f5edb4", + "panelRefName": "panel_2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "bb7a6391-3a3a-40c2-b32d-9b7bc3b5916f", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "bb7a6391-3a3a-40c2-b32d-9b7bc3b5916f", + "panelRefName": "panel_3", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "507ca4af-c48a-43e3-9aa2-79ff68ba7eaf", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "507ca4af-c48a-43e3-9aa2-79ff68ba7eaf", + "panelRefName": "panel_4", + "title": "Distribution of Consolidated Events by Graymail Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "fc2be34f-5ce2-48cc-a36d-8102d13f888f", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "fc2be34f-5ce2-48cc-a36d-8102d13f888f", + "panelRefName": "panel_5", + "title": "Distribution of Consolidated Events by AMP Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "a0228300-da78-48a7-9d70-cc93670887b5", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "a0228300-da78-48a7-9d70-cc93670887b5", + "panelRefName": "panel_6", + "title": "Distribution of Consolidated Events by AS Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "0e21c3d8-a107-4c45-bb9e-c91763054347", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "0e21c3d8-a107-4c45-bb9e-c91763054347", + "panelRefName": "panel_7", + "title": "Distribution of Consolidated Events by AV Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "466b3df7-c128-470a-b24e-c83257b58e86", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "466b3df7-c128-470a-b24e-c83257b58e86", + "panelRefName": "panel_8", + "title": "Distribution of Consolidated Events by DLP Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "dca786a1-5cf1-432b-b645-65378e3c4249", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "dca786a1-5cf1-432b-b645-65378e3c4249", + "panelRefName": "panel_9", + "title": "Distribution of Consolidated Events by Content Filters Verdict [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d895fb3d-f0c0-42b3-81c9-b41e0de21b8f", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "d895fb3d-f0c0-42b3-81c9-b41e0de21b8f", + "panelRefName": "panel_10", + "title": "Top 10 Appliance Vendor [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ab44d98a-a6f9-46db-93b5-8d982bb8164d", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "ab44d98a-a6f9-46db-93b5-8d982bb8164d", + "panelRefName": "panel_11", + "title": "Distribution of Consolidated Events by Message Final Action [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Consolidated Event", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-be7e9c00-b055-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b", + "name": "panel_6", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b", + "name": "panel_7", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b", + "name": "panel_8", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b", + "name": "panel_9", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b", + "name": "panel_10", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b", + "name": "panel_11", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..d1904128305 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,261 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "mail_logs" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "mail_logs" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "964bf5b0-a59e-4378-856a-850bdfbad7bc", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "964bf5b0-a59e-4378-856a-850bdfbad7bc", + "panelRefName": "panel_0", + "title": "Distribution of Text Mail Events by Severity [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a86df19f-3670-4f11-8c65-6f2a15ce360e", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "a86df19f-3670-4f11-8c65-6f2a15ce360e", + "panelRefName": "panel_1", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "61bc30e5-ddc7-4603-ae82-1b9da098f1be", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "61bc30e5-ddc7-4603-ae82-1b9da098f1be", + "panelRefName": "panel_2", + "title": "Distribution of Text Mail Events by Object Attribute [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "836dd851-3cec-4eb5-8995-651105e410f9", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "836dd851-3cec-4eb5-8995-651105e410f9", + "panelRefName": "panel_3", + "title": "Distribution of Text Mail Events by Vendor Action [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "941b0a19-c57b-4888-bfc5-766bc30fe2fb", + "w": 17, + "x": 0, + "y": 30 + }, + "panelIndex": "941b0a19-c57b-4888-bfc5-766bc30fe2fb", + "panelRefName": "panel_4", + "title": "Distribution of Text Mail Events by Connection Status [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "c550d9bb-f49b-420d-a583-96785a91f1d4", + "w": 15, + "x": 17, + "y": 30 + }, + "panelIndex": "c550d9bb-f49b-420d-a583-96785a91f1d4", + "panelRefName": "panel_5", + "title": "Distribution of Text Mail Events by Message Status [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 16, + "i": "9421e841-9470-45c7-a3d4-7d4130a5c758", + "w": 16, + "x": 32, + "y": 30 + }, + "panelIndex": "9421e841-9470-45c7-a3d4-7d4130a5c758", + "panelRefName": "panel_6", + "title": "Distribution of Text Mail Events by Network Protocol [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "acadb1ad-19bb-41e8-9c5e-7d62b4cf8f6c", + "w": 24, + "x": 0, + "y": 46 + }, + "panelIndex": "acadb1ad-19bb-41e8-9c5e-7d62b4cf8f6c", + "panelRefName": "panel_7", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "48a59710-7086-459f-abef-72604a666d20", + "w": 24, + "x": 24, + "y": 46 + }, + "panelIndex": "48a59710-7086-459f-abef-72604a666d20", + "panelRefName": "panel_8", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Text Mail", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c19f7c50-b05b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b", + "name": "panel_4", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b", + "name": "panel_5", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_6", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_7", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b", + "name": "panel_8", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..f91652e3358 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/dashboard/cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "cisco_secure_email_gateway.log.category.name", + "negate": false, + "params": { + "query": "bounces" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "cisco_secure_email_gateway.log.category.name": "bounces" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "639d7ded-5352-4627-beb3-eb311f3318d8", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "639d7ded-5352-4627-beb3-eb311f3318d8", + "panelRefName": "panel_0", + "title": "Distribution of Bounce Events by Bounce Type [Logs Cisco Secure Email Gateway]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "85d72fcb-35a5-469f-b27d-1fb5e82ca891", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "85d72fcb-35a5-469f-b27d-1fb5e82ca891", + "panelRefName": "panel_1", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "645dd140-f2d1-4fe1-974e-d45f57bfb3a3", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "645dd140-f2d1-4fe1-974e-d45f57bfb3a3", + "panelRefName": "panel_2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "78094ff3-8433-4298-9b15-cde20f055619", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "78094ff3-8433-4298-9b15-cde20f055619", + "panelRefName": "panel_3", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Secure Email Gateway] Bounce", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c94a00a0-b0a7-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b", + "name": "panel_0", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b", + "name": "panel_1", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b", + "name": "panel_2", + "type": "lens" + }, + { + "id": "cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b", + "name": "panel_3", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..e460db3f3ad --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791": { + "columnOrder": [ + "775a45ba-8734-4350-9286-e0de448cbae2", + "e60ae8dd-f8ee-4d28-9051-64158ea09998" + ], + "columns": { + "775a45ba-8734-4350-9286-e0de448cbae2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Attribute", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e60ae8dd-f8ee-4d28-9051-64158ea09998", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_attr" + }, + "e60ae8dd-f8ee-4d28-9051-64158ea09998": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "e60ae8dd-f8ee-4d28-9051-64158ea09998" + ], + "layerId": "dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "775a45ba-8734-4350-9286-e0de448cbae2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Text Mail Events by Object Attribute [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-159f1460-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dc14a7c6-0c0a-4d2d-9d1a-3ab5f9b79791", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..7db2c4a09db --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ef2e966e-52e1-4aa5-97d4-4f415bd80272": { + "columnOrder": [ + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a", + "f4642514-e457-4c19-a2f4-802311e3a3fa" + ], + "columns": { + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Graymail Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f4642514-e457-4c19-a2f4-802311e3a3fa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.graymail_verdict" + }, + "f4642514-e457-4c19-a2f4-802311e3a3fa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c60a5e2f-a5aa-47b7-964f-ade43eae9d5a" + ], + "layerId": "ef2e966e-52e1-4aa5-97d4-4f415bd80272", + "layerType": "data", + "legendDisplay": "default", + "metric": "f4642514-e457-4c19-a2f4-802311e3a3fa", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Graymail Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-17219320-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ef2e966e-52e1-4aa5-97d4-4f415bd80272", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..d620f86431e --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d11b7b35-4452-4d96-aedb-cfa76248e087": { + "columnOrder": [ + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885", + "9d948240-967b-4c51-828f-3b950b5beca5" + ], + "columns": { + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9d948240-967b-4c51-828f-3b950b5beca5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_category" + }, + "9d948240-967b-4c51-828f-3b950b5beca5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"antispam\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "8ea28f8c-d6b1-4857-9581-6f6a2fd9a885" + ], + "layerId": "d11b7b35-4452-4d96-aedb-cfa76248e087", + "layerType": "data", + "legendDisplay": "default", + "metric": "9d948240-967b-4c51-828f-3b950b5beca5", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Anti-Spam Events by Object Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-1c1ef970-b517-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d11b7b35-4452-4d96-aedb-cfa76248e087", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..47197b71a2c --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8cc04732-d3e2-4b65-aeac-fee7492adee6": { + "columnOrder": [ + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526", + "4b3854d5-8b24-4472-a3b3-e2484749d658" + ], + "columns": { + "4b3854d5-8b24-4472-a3b3-e2484749d658": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4b3854d5-8b24-4472-a3b3-e2484749d658", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object_category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"content_scanner\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "64ec49a9-78fd-4cb4-8c2b-e183f50b0526" + ], + "layerId": "8cc04732-d3e2-4b65-aeac-fee7492adee6", + "layerType": "data", + "legendDisplay": "default", + "metric": "4b3854d5-8b24-4472-a3b3-e2484749d658", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Content Scanner Events by Object Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-23bc6030-b528-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8cc04732-d3e2-4b65-aeac-fee7492adee6", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..3539373e347 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1f0830ca-67f7-48e3-8356-4495026c941d": { + "columnOrder": [ + "350b5032-a217-4f5b-afe2-13d5ed62a26e", + "6769baa6-3cdd-4ba5-a406-b5b10ae1a427" + ], + "columns": { + "350b5032-a217-4f5b-afe2-13d5ed62a26e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Appliance vendor", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6769baa6-3cdd-4ba5-a406-b5b10ae1a427", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.appliance.vendor" + }, + "6769baa6-3cdd-4ba5-a406-b5b10ae1a427": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "350b5032-a217-4f5b-afe2-13d5ed62a26e", + "isTransposed": false + }, + { + "columnId": "6769baa6-3cdd-4ba5-a406-b5b10ae1a427", + "isTransposed": false + } + ], + "layerId": "1f0830ca-67f7-48e3-8356-4495026c941d", + "layerType": "data" + } + }, + "title": "Top 10 Appliance vendor [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-272885e0-b524-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1f0830ca-67f7-48e3-8356-4495026c941d", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..f1b80ae6e0a --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0fcbd198-453c-4d42-9e5d-4920321e8cbb": { + "columnOrder": [ + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7", + "63a10371-dab3-4bcc-8c94-9deb9ad801db" + ], + "columns": { + "63a10371-dab3-4bcc-8c94-9deb9ad801db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Listener Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "63a10371-dab3-4bcc-8c94-9deb9ad801db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.direction" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "da5e80d9-05f2-4ffe-a208-fb3cb59702c7" + ], + "layerId": "0fcbd198-453c-4d42-9e5d-4920321e8cbb", + "layerType": "data", + "legendDisplay": "default", + "metric": "63a10371-dab3-4bcc-8c94-9deb9ad801db", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Listener Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-2ada7910-b51e-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0fcbd198-453c-4d42-9e5d-4920321e8cbb", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..4deaa68b802 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "6a329d99-3de7-4396-9481-07cff7118b75": { + "columnOrder": [ + "94df3128-28b6-4f27-897f-bcb44d3c7196", + "2eeef2a5-4721-49f0-bdf3-e39e05c95999" + ], + "columns": { + "2eeef2a5-4721-49f0-bdf3-e39e05c95999": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "94df3128-28b6-4f27-897f-bcb44d3c7196": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "2eeef2a5-4721-49f0-bdf3-e39e05c95999", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"antispam\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "94df3128-28b6-4f27-897f-bcb44d3c7196" + ], + "layerId": "6a329d99-3de7-4396-9481-07cff7118b75", + "layerType": "data", + "legendDisplay": "default", + "metric": "2eeef2a5-4721-49f0-bdf3-e39e05c95999", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Anti-Spam Events by Object [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-2bfd5260-b517-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6a329d99-3de7-4396-9481-07cff7118b75", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..d79d70e84e2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f59bf14d-1826-4672-a636-96713e17bf3d": { + "columnOrder": [ + "c5045d93-c903-4f4f-a653-1ee275ee5f1f", + "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c" + ], + "columns": { + "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c5045d93-c903-4f4f-a653-1ee275ee5f1f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Bounce Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.bounce_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c5045d93-c903-4f4f-a653-1ee275ee5f1f" + ], + "layerId": "f59bf14d-1826-4672-a636-96713e17bf3d", + "layerType": "data", + "legendDisplay": "default", + "metric": "5d32e55d-1a69-4e1c-a42e-e3cc5302a77c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Bounce Events by Bounce type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-31a12320-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f59bf14d-1826-4672-a636-96713e17bf3d", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..90b214a5879 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "da50ed80-3cbc-4559-bef0-e3db5de2fb16": { + "columnOrder": [ + "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41", + "722a910a-7f85-47f2-9eea-8a13c4faaed5" + ], + "columns": { + "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Malware Threat", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "722a910a-7f85-47f2-9eea-8a13c4faaed5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.malware" + }, + "722a910a-7f85-47f2-9eea-8a13c4faaed5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "2782b4e2-ba8c-4aaf-8747-8d7297b3ec41", + "isTransposed": false + }, + { + "columnId": "722a910a-7f85-47f2-9eea-8a13c4faaed5", + "isTransposed": false + } + ], + "layerId": "da50ed80-3cbc-4559-bef0-e3db5de2fb16", + "layerType": "data" + } + }, + "title": "Top 10 Malware Threat [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-39138ed0-b510-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-da50ed80-3cbc-4559-bef0-e3db5de2fb16", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..7b640de955d --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "78976d98-602b-49ed-9fad-c111e8dd5d9c": { + "columnOrder": [ + "1246cdaf-b072-4a40-9ecc-4f0a83910265", + "a46515d5-4b24-47ee-bb4e-673b0c46d4db" + ], + "columns": { + "1246cdaf-b072-4a40-9ecc-4f0a83910265": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DNS Host", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a46515d5-4b24-47ee-bb4e-673b0c46d4db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + }, + "a46515d5-4b24-47ee-bb4e-673b0c46d4db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "1246cdaf-b072-4a40-9ecc-4f0a83910265", + "isTransposed": false + }, + { + "columnId": "a46515d5-4b24-47ee-bb4e-673b0c46d4db", + "isTransposed": false + } + ], + "layerId": "78976d98-602b-49ed-9fad-c111e8dd5d9c", + "layerType": "data" + } + }, + "title": "Top 10 DNS Host [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-3e387e10-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-78976d98-602b-49ed-9fad-c111e8dd5d9c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..c71cee27f98 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "17b5a5b0-ab60-4ac9-918d-1471b17fc36a": { + "columnOrder": [ + "84b418b7-2bd5-473f-a0a9-6a15c5864123", + "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d" + ], + "columns": { + "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "84b418b7-2bd5-473f-a0a9-6a15c5864123": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "DLP Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.dlp_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "84b418b7-2bd5-473f-a0a9-6a15c5864123" + ], + "layerId": "17b5a5b0-ab60-4ac9-918d-1471b17fc36a", + "layerType": "data", + "legendDisplay": "default", + "metric": "1f0c2ff3-8fb0-4767-8b5c-1289cc7c461d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by DLP Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-4079ce10-b523-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17b5a5b0-ab60-4ac9-918d-1471b17fc36a", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..9d226eafa05 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "deefc302-2a9c-4c62-8b64-db0656a1e201": { + "columnOrder": [ + "1a75a065-b075-4708-974f-e4460b593062", + "47d341a9-66d9-478c-83ed-faf1b8e6142f" + ], + "columns": { + "1a75a065-b075-4708-974f-e4460b593062": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Host IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "47d341a9-66d9-478c-83ed-faf1b8e6142f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.ip" + }, + "47d341a9-66d9-478c-83ed-faf1b8e6142f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "1a75a065-b075-4708-974f-e4460b593062", + "isTransposed": false + }, + { + "columnId": "47d341a9-66d9-478c-83ed-faf1b8e6142f", + "isTransposed": false + } + ], + "layerId": "deefc302-2a9c-4c62-8b64-db0656a1e201", + "layerType": "data" + } + }, + "title": "Top 10 Host IP [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-40ba5f40-b580-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-deefc302-2a9c-4c62-8b64-db0656a1e201", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..8889eb385a7 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "818edf56-0abd-4454-a40a-9c48a9ccb60b": { + "columnOrder": [ + "30d4769c-2c7b-492d-bd13-dbd0be6331ae", + "4b2b840d-b0c8-4b5d-838a-6419d2679e57" + ], + "columns": { + "30d4769c-2c7b-492d-bd13-dbd0be6331ae": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4b2b840d-b0c8-4b5d-838a-6419d2679e57", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "4b2b840d-b0c8-4b5d-838a-6419d2679e57": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"error_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "30d4769c-2c7b-492d-bd13-dbd0be6331ae", + "isTransposed": false + }, + { + "columnId": "4b2b840d-b0c8-4b5d-838a-6419d2679e57", + "isTransposed": false + } + ], + "layerId": "818edf56-0abd-4454-a40a-9c48a9ccb60b", + "layerType": "data" + } + }, + "title": "Top 10 Recipients [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-4312b680-b525-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-818edf56-0abd-4454-a40a-9c48a9ccb60b", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..36086672f1e --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3580df6b-ad09-48fd-a1a5-82f760b16cdd": { + "columnOrder": [ + "eeafffce-6abd-40c9-9615-6707e18801b6", + "31ca0397-55c6-4109-a00c-b79e85754ffa" + ], + "columns": { + "31ca0397-55c6-4109-a00c-b79e85754ffa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "eeafffce-6abd-40c9-9615-6707e18801b6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "31ca0397-55c6-4109-a00c-b79e85754ffa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"authentication\"" + }, + "visualization": { + "columns": [ + { + "columnId": "eeafffce-6abd-40c9-9615-6707e18801b6", + "isTransposed": false + }, + { + "columnId": "31ca0397-55c6-4109-a00c-b79e85754ffa", + "isTransposed": false + } + ], + "layerId": "3580df6b-ad09-48fd-a1a5-82f760b16cdd", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-50401f90-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3580df6b-ad09-48fd-a1a5-82f760b16cdd", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..bc54edcab98 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc": { + "columnOrder": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285", + "40ee8622-c392-4ec5-bc21-d912f381c282" + ], + "columns": { + "40ee8622-c392-4ec5-bc21-d912f381c282": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "40ee8622-c392-4ec5-bc21-d912f381c282", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.content_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cfaa9bc5-46c5-4cf4-968f-419ea5d8e285" + ], + "layerId": "42e2b65e-cb47-40bb-9c1b-57ffe421f4dc", + "layerType": "data", + "legendDisplay": "default", + "metric": "40ee8622-c392-4ec5-bc21-d912f381c282", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by File Type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-567de1b0-b50f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-42e2b65e-cb47-40bb-9c1b-57ffe421f4dc", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..e9393c183d8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b6923de3-cac2-47e3-b36f-2bd1f4821098": { + "columnOrder": [ + "2002d5eb-0345-4f25-88e9-cac1c904bc99", + "d61dcbdd-2a90-4b16-85f1-070dc0ba109d" + ], + "columns": { + "2002d5eb-0345-4f25-88e9-cac1c904bc99": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d61dcbdd-2a90-4b16-85f1-070dc0ba109d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "d61dcbdd-2a90-4b16-85f1-070dc0ba109d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"system\"" + }, + "visualization": { + "columns": [ + { + "columnId": "2002d5eb-0345-4f25-88e9-cac1c904bc99", + "isTransposed": false + }, + { + "columnId": "d61dcbdd-2a90-4b16-85f1-070dc0ba109d", + "isTransposed": false + } + ], + "layerId": "b6923de3-cac2-47e3-b36f-2bd1f4821098", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5a647440-b51b-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b6923de3-cac2-47e3-b36f-2bd1f4821098", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..69fc6693fbc --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "11172da2-6f42-47a4-b1f4-cdbf8afdedd0": { + "columnOrder": [ + "567678aa-a7e3-4e65-93eb-68015622fc6a", + "4ce98a9d-67cd-44cc-96b8-b3d08f750b84" + ], + "columns": { + "4ce98a9d-67cd-44cc-96b8-b3d08f750b84": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "567678aa-a7e3-4e65-93eb-68015622fc6a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AV Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4ce98a9d-67cd-44cc-96b8-b3d08f750b84", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.av_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "567678aa-a7e3-4e65-93eb-68015622fc6a" + ], + "layerId": "11172da2-6f42-47a4-b1f4-cdbf8afdedd0", + "layerType": "data", + "legendDisplay": "default", + "metric": "4ce98a9d-67cd-44cc-96b8-b3d08f750b84", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AV Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5eabfa40-b521-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-11172da2-6f42-47a4-b1f4-cdbf8afdedd0", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..4db14e271ec --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8b6d5f6d-b1c9-4860-917a-ecac06f34b10": { + "columnOrder": [ + "a3111dae-5b02-4296-88ff-61197bd0f3f9", + "c3597c7d-4468-4194-8f2d-a453ced98438" + ], + "columns": { + "a3111dae-5b02-4296-88ff-61197bd0f3f9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "File Mime Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c3597c7d-4468-4194-8f2d-a453ced98438", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "email.attachments.file.mime_type" + }, + "c3597c7d-4468-4194-8f2d-a453ced98438": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "a3111dae-5b02-4296-88ff-61197bd0f3f9" + ], + "layerId": "8b6d5f6d-b1c9-4860-917a-ecac06f34b10", + "layerType": "data", + "legendDisplay": "default", + "metric": "c3597c7d-4468-4194-8f2d-a453ced98438", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by File MIME Type [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-5f08da90-b511-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8b6d5f6d-b1c9-4860-917a-ecac06f34b10", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..1ddc45965a9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c19b962-3c1b-47bd-b455-08fe74f0d713": { + "columnOrder": [ + "5633dc67-ee99-44e0-9fc9-1eeb069871a7", + "df66b654-83dc-4985-830d-a241adefbc2c" + ], + "columns": { + "5633dc67-ee99-44e0-9fc9-1eeb069871a7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Outcome", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "df66b654-83dc-4985-830d-a241adefbc2c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + }, + "df66b654-83dc-4985-830d-a241adefbc2c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"authentication\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "5633dc67-ee99-44e0-9fc9-1eeb069871a7" + ], + "layerId": "0c19b962-3c1b-47bd-b455-08fe74f0d713", + "layerType": "data", + "legendDisplay": "default", + "metric": "df66b654-83dc-4985-830d-a241adefbc2c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Authentication Events by Outcome [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-60df7e90-b63e-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c19b962-3c1b-47bd-b455-08fe74f0d713", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..0e6fb078df8 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5283a6c5-2dfa-4758-99c0-567b3c5b187c": { + "columnOrder": [ + "c606b455-7a81-4667-9520-2ae212768375", + "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe" + ], + "columns": { + "c606b455-7a81-4667-9520-2ae212768375": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sender", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.from.address" + }, + "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "c606b455-7a81-4667-9520-2ae212768375", + "isTransposed": false + }, + { + "columnId": "f4dacf24-f68a-4415-b82a-a2a6e3a1b3fe", + "isTransposed": false + } + ], + "layerId": "5283a6c5-2dfa-4758-99c0-567b3c5b187c", + "layerType": "data" + } + }, + "title": "Top 10 Sender [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-69210db0-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5283a6c5-2dfa-4758-99c0-567b3c5b187c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..d5a2aa2d81e --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "57751ffc-a4b1-4c64-88ce-1e692814b206": { + "columnOrder": [ + "23017c0a-ce72-475c-a40c-9f98f6036ea5", + "43da0051-67fe-4cab-9dcd-acd44e8eede1" + ], + "columns": { + "23017c0a-ce72-475c-a40c-9f98f6036ea5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "43da0051-67fe-4cab-9dcd-acd44e8eede1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "43da0051-67fe-4cab-9dcd-acd44e8eede1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "23017c0a-ce72-475c-a40c-9f98f6036ea5", + "isTransposed": false + }, + { + "columnId": "43da0051-67fe-4cab-9dcd-acd44e8eede1", + "isTransposed": false + } + ], + "layerId": "57751ffc-a4b1-4c64-88ce-1e692814b206", + "layerType": "data" + } + }, + "title": "Top 10 User Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-69897df0-b58c-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-57751ffc-a4b1-4c64-88ce-1e692814b206", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..cab94ac252e --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "28922e0d-d6e4-4a94-95f2-102ec6f181ac": { + "columnOrder": [ + "8a344e0b-f642-4c42-b815-60433dfbfbb9", + "c229ce5c-eb61-4540-853d-6cc2098ca1d2" + ], + "columns": { + "8a344e0b-f642-4c42-b815-60433dfbfbb9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "c229ce5c-eb61-4540-853d-6cc2098ca1d2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.vendor_action" + }, + "c229ce5c-eb61-4540-853d-6cc2098ca1d2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "8a344e0b-f642-4c42-b815-60433dfbfbb9" + ], + "layerId": "28922e0d-d6e4-4a94-95f2-102ec6f181ac", + "layerType": "data", + "legendDisplay": "default", + "metric": "c229ce5c-eb61-4540-853d-6cc2098ca1d2", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Vendor Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6b544d80-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-28922e0d-d6e4-4a94-95f2-102ec6f181ac", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..0cfe5a5b8d2 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c3a1ff3-eb26-42fd-8196-49c12251bd49": { + "columnOrder": [ + "cebc1213-bb3f-4000-b747-5f0b0c608b4b", + "e1416011-657e-40b0-9af8-ff3bcbdf0617" + ], + "columns": { + "cebc1213-bb3f-4000-b747-5f0b0c608b4b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Agent Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e1416011-657e-40b0-9af8-ff3bcbdf0617", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.name" + }, + "e1416011-657e-40b0-9af8-ff3bcbdf0617": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "cebc1213-bb3f-4000-b747-5f0b0c608b4b" + ], + "layerId": "0c3a1ff3-eb26-42fd-8196-49c12251bd49", + "layerType": "data", + "legendDisplay": "default", + "metric": "e1416011-657e-40b0-9af8-ff3bcbdf0617", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of GUI Events by User Agent Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-6e7a9920-b58c-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c3a1ff3-eb26-42fd-8196-49c12251bd49", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..d665143dc6a --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "58c79990-e129-4e1d-a7c5-2f663c86109f": { + "columnOrder": [ + "7e1dc911-a513-41bd-9e56-5366699d06e0", + "9a441fcb-5153-497e-85dc-6d3efb3b54cc", + "1abb990c-1e38-4ba3-b160-b0cea323aefc" + ], + "columns": { + "1abb990c-1e38-4ba3-b160-b0cea323aefc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7e1dc911-a513-41bd-9e56-5366699d06e0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.name" + }, + "9a441fcb-5153-497e-85dc-6d3efb3b54cc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "OS Version", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "user_agent.os.version" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7e1dc911-a513-41bd-9e56-5366699d06e0", + "9a441fcb-5153-497e-85dc-6d3efb3b54cc" + ], + "layerId": "58c79990-e129-4e1d-a7c5-2f663c86109f", + "layerType": "data", + "legendDisplay": "default", + "metric": "1abb990c-1e38-4ba3-b160-b0cea323aefc", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of GUI Events by OS, OS Version [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-72f24920-b58d-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-58c79990-e129-4e1d-a7c5-2f663c86109f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..f630fb93480 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "52251872-020b-4855-9c01-fbebd4df0064": { + "columnOrder": [ + "585842e9-697b-43a6-99cb-e905245ce2e2", + "1c89cec4-799f-407c-a53c-d4f2332d7966" + ], + "columns": { + "1c89cec4-799f-407c-a53c-d4f2332d7966": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "585842e9-697b-43a6-99cb-e905245ce2e2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1c89cec4-799f-407c-a53c-d4f2332d7966", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "585842e9-697b-43a6-99cb-e905245ce2e2" + ], + "layerId": "52251872-020b-4855-9c01-fbebd4df0064", + "layerType": "data", + "legendDisplay": "default", + "metric": "1c89cec4-799f-407c-a53c-d4f2332d7966", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of AMP Engine Events by Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-76438ce0-b512-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-52251872-020b-4855-9c01-fbebd4df0064", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..c40fe6807a0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9d0f1c67-8726-4c33-8c99-5c6616fd273c": { + "columnOrder": [ + "1e49a823-db00-4ed1-bdfd-63c58746120c", + "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0" + ], + "columns": { + "1e49a823-db00-4ed1-bdfd-63c58746120c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AMP Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.amp_verdict" + }, + "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1e49a823-db00-4ed1-bdfd-63c58746120c" + ], + "layerId": "9d0f1c67-8726-4c33-8c99-5c6616fd273c", + "layerType": "data", + "legendDisplay": "default", + "metric": "22dbf62a-c96a-4237-b7aa-7a85dbbb56f0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AMP Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-7b61ca30-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9d0f1c67-8726-4c33-8c99-5c6616fd273c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..939c91d10c0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cc97ded6-1926-428a-a6d3-d13b3b47b8ba": { + "columnOrder": [ + "50f68a81-af9c-4a46-8f31-49957891f03e", + "536e9932-8f25-4096-a1f1-cc40da5e099b" + ], + "columns": { + "50f68a81-af9c-4a46-8f31-49957891f03e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Spy Name ", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "536e9932-8f25-4096-a1f1-cc40da5e099b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.spy_name" + }, + "536e9932-8f25-4096-a1f1-cc40da5e099b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "50f68a81-af9c-4a46-8f31-49957891f03e", + "isTransposed": false + }, + { + "columnId": "536e9932-8f25-4096-a1f1-cc40da5e099b", + "isTransposed": false + } + ], + "layerId": "cc97ded6-1926-428a-a6d3-d13b3b47b8ba", + "layerType": "data" + } + }, + "title": "Top 10 Spy Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-80cc7570-b510-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cc97ded6-1926-428a-a6d3-d13b3b47b8ba", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..216d5229783 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "316330ba-0c74-48a8-a005-a83d62b22825": { + "columnOrder": [ + "49ecc95f-4e3e-4886-b6a9-f877f37aa93d", + "190364eb-0f7a-4409-b39e-761d5f9bd865" + ], + "columns": { + "190364eb-0f7a-4409-b39e-761d5f9bd865": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "49ecc95f-4e3e-4886-b6a9-f877f37aa93d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Response Status Code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "190364eb-0f7a-4409-b39e-761d5f9bd865", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.response.status_code" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "190364eb-0f7a-4409-b39e-761d5f9bd865" + ], + "layerId": "316330ba-0c74-48a8-a005-a83d62b22825", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "49ecc95f-4e3e-4886-b6a9-f877f37aa93d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of GUI Events by Response Status Code [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8309a9e0-b581-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-316330ba-0c74-48a8-a005-a83d62b22825", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..6f032319d4c --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77": { + "columnOrder": [ + "764bb009-19ef-4869-aa16-a7eb988b2fa5", + "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565" + ], + "columns": { + "764bb009-19ef-4869-aa16-a7eb988b2fa5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Mail Flow Policy Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.mail_flow_policy" + }, + "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "764bb009-19ef-4869-aa16-a7eb988b2fa5" + }, + { + "columnId": "ab96a3d6-1f5f-472e-8ad7-ea84cde4d565" + } + ], + "layerId": "fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77", + "layerType": "data" + } + }, + "title": "Top 10 Mail Flow Policy Name [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8944e4d0-b51f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fe14132b-14b3-40e4-9b9e-7c4b3d3d2b77", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..02cd38abc38 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d10ac2c6-458d-45cf-95cd-b75b40a3cc6b": { + "columnOrder": [ + "c6d33863-6a91-474c-891b-0a0930325222", + "08f66015-bfdb-489f-aea0-65ba4323e2f0" + ], + "columns": { + "08f66015-bfdb-489f-aea0-65ba4323e2f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "c6d33863-6a91-474c-891b-0a0930325222": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "08f66015-bfdb-489f-aea0-65ba4323e2f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.alert_category" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"error_logs\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08f66015-bfdb-489f-aea0-65ba4323e2f0" + ], + "layerId": "d10ac2c6-458d-45cf-95cd-b75b40a3cc6b", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "c6d33863-6a91-474c-891b-0a0930325222" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Error Events by Alert Category [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-955c42b0-b577-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d10ac2c6-458d-45cf-95cd-b75b40a3cc6b", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..00dc67a9a37 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441": { + "columnOrder": [ + "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8", + "9e9261cd-f646-4a17-acf9-b6fb69bf03e2" + ], + "columns": { + "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Object", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9e9261cd-f646-4a17-acf9-b6fb69bf03e2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.object" + }, + "9e9261cd-f646-4a17-acf9-b6fb69bf03e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "79fb3bd8-2d7a-461e-8c28-0f8bec664fd8" + }, + { + "columnId": "9e9261cd-f646-4a17-acf9-b6fb69bf03e2" + } + ], + "layerId": "e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441", + "layerType": "data" + } + }, + "title": "Top 10 Object [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-973c1ee0-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e1b7b06d-61e8-4cfa-801f-e3bc0b1fa441", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..5f27776ac44 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "779692f9-3e0c-4c4b-833f-ab67b6d44a95": { + "columnOrder": [ + "011d4b64-1db3-447f-896e-a198dd74186c", + "ae49f917-e61b-4cd6-b8fc-998b0802347d" + ], + "columns": { + "011d4b64-1db3-447f-896e-a198dd74186c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ae49f917-e61b-4cd6-b8fc-998b0802347d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.severity" + }, + "ae49f917-e61b-4cd6-b8fc-998b0802347d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "011d4b64-1db3-447f-896e-a198dd74186c" + ], + "layerId": "779692f9-3e0c-4c4b-833f-ab67b6d44a95", + "layerType": "data", + "legendDisplay": "default", + "metric": "ae49f917-e61b-4cd6-b8fc-998b0802347d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Severity [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-9c04dc70-b578-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-779692f9-3e0c-4c4b-833f-ab67b6d44a95", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..b973ea612cc --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1aef4ea3-e481-42a1-b355-8c667e236324": { + "columnOrder": [ + "50a245e4-241d-429f-b5c4-c7144eb4f76c", + "0ec405bd-21bc-49e3-a131-7e54edae86db" + ], + "columns": { + "0ec405bd-21bc-49e3-a131-7e54edae86db": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "50a245e4-241d-429f-b5c4-c7144eb4f76c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Receiver", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0ec405bd-21bc-49e3-a131-7e54edae86db", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "50a245e4-241d-429f-b5c4-c7144eb4f76c", + "isTransposed": false + }, + { + "columnId": "0ec405bd-21bc-49e3-a131-7e54edae86db", + "isTransposed": false + } + ], + "layerId": "1aef4ea3-e481-42a1-b355-8c667e236324", + "layerType": "data" + } + }, + "title": "Top 10 Receiver [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-ac56b620-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1aef4ea3-e481-42a1-b355-8c667e236324", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..c13396de233 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4315e942-ba49-474d-af76-6710ec550ad6": { + "columnOrder": [ + "e083e8f2-9f3a-4a86-9da1-5d14ac1653db", + "08e67d54-9697-4721-9ddc-ac4846ab92e6" + ], + "columns": { + "08e67d54-9697-4721-9ddc-ac4846ab92e6": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "e083e8f2-9f3a-4a86-9da1-5d14ac1653db": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Message Final Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "08e67d54-9697-4721-9ddc-ac4846ab92e6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.act" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "08e67d54-9697-4721-9ddc-ac4846ab92e6" + ], + "layerId": "4315e942-ba49-474d-af76-6710ec550ad6", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "e083e8f2-9f3a-4a86-9da1-5d14ac1653db" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Consolidated Events by Message Final Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-b15a0680-b524-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4315e942-ba49-474d-af76-6710ec550ad6", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..c98712fcfbc --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "266b7fe0-231d-4c2a-973a-fc88a87f6b0e": { + "columnOrder": [ + "65aa90e8-5709-41df-aa29-56880e3b66a3", + "a2f6bdea-fd70-4b8d-9452-416c7b5840c7" + ], + "columns": { + "65aa90e8-5709-41df-aa29-56880e3b66a3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Helo Domain IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a2f6bdea-fd70-4b8d-9452-416c7b5840c7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.helo.ip" + }, + "a2f6bdea-fd70-4b8d-9452-416c7b5840c7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "65aa90e8-5709-41df-aa29-56880e3b66a3", + "isTransposed": false + }, + { + "columnId": "a2f6bdea-fd70-4b8d-9452-416c7b5840c7", + "isTransposed": false + } + ], + "layerId": "266b7fe0-231d-4c2a-973a-fc88a87f6b0e", + "layerType": "data" + } + }, + "title": "Top 10 Helo Domain IP [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-bab80b00-b51f-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-266b7fe0-231d-4c2a-973a-fc88a87f6b0e", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..7170eb2ef86 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f": { + "columnOrder": [ + "d67f2de8-71ad-40c1-97da-732f12742c77", + "7599b0e8-574e-48da-8274-d0c65d2ee992" + ], + "columns": { + "7599b0e8-574e-48da-8274-d0c65d2ee992": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d67f2de8-71ad-40c1-97da-732f12742c77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "AS Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7599b0e8-574e-48da-8274-d0c65d2ee992", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.as_verdict" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d67f2de8-71ad-40c1-97da-732f12742c77" + ], + "layerId": "aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f", + "layerType": "data", + "legendDisplay": "default", + "metric": "7599b0e8-574e-48da-8274-d0c65d2ee992", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by AS Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-bd88e8d0-b520-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-aba8c8ac-6e7f-4be4-8ea7-adb3c00a711f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json new file mode 100644 index 00000000000..2e0fc32ada9 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "92246eb5-8cb8-441e-b9fe-ff56c6ff0997": { + "columnOrder": [ + "172c29b9-e8bc-48f2-aa9c-796d076a7895", + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c" + ], + "columns": { + "172c29b9-e8bc-48f2-aa9c-796d076a7895": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Request", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "5ea232ac-12df-4c6e-af79-0d1b41d3e34c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "http.request.method" + }, + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "5ea232ac-12df-4c6e-af79-0d1b41d3e34c" + ], + "layerId": "92246eb5-8cb8-441e-b9fe-ff56c6ff0997", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "172c29b9-e8bc-48f2-aa9c-796d076a7895" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of GUI Events by Request [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-c6ecc5d0-b580-11ec-b665-f79f0daaad54", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-92246eb5-8cb8-441e-b9fe-ff56c6ff0997", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..758185c2e5c --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "103310a0-a5d9-4d8c-b1da-a8c57e13a563": { + "columnOrder": [ + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa", + "1a58cfa2-a182-4a3f-8636-14e9474aa0ea" + ], + "columns": { + "1a58cfa2-a182-4a3f-8636-14e9474aa0ea": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Connection Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1a58cfa2-a182-4a3f-8636-14e9474aa0ea", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.connection_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "76d8af3a-1ff0-49d6-91a8-0b1cc16ce6fa" + ], + "layerId": "103310a0-a5d9-4d8c-b1da-a8c57e13a563", + "layerType": "data", + "legendDisplay": "default", + "metric": "1a58cfa2-a182-4a3f-8636-14e9474aa0ea", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Connection Status [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d26c0e90-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-103310a0-a5d9-4d8c-b1da-a8c57e13a563", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..030aac998a5 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "d9f68bb4-618e-4b30-814c-201e302ee9c9": { + "columnOrder": [ + "869adebc-36ff-411a-b8c0-b324b1faa097", + "e91fac87-d093-46e6-8ca9-65ed84915897" + ], + "columns": { + "869adebc-36ff-411a-b8c0-b324b1faa097": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Reason", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e91fac87-d093-46e6-8ca9-65ed84915897", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.reason" + }, + "e91fac87-d093-46e6-8ca9-65ed84915897": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "columns": [ + { + "columnId": "869adebc-36ff-411a-b8c0-b324b1faa097" + }, + { + "columnId": "e91fac87-d093-46e6-8ca9-65ed84915897" + } + ], + "layerId": "d9f68bb4-618e-4b30-814c-201e302ee9c9", + "layerType": "data" + } + }, + "title": "Top 10 Reason [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d2d9b860-b514-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d9f68bb4-618e-4b30-814c-201e302ee9c9", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..7314563472a --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "29be06db-aa85-4914-8578-266c2829069c": { + "columnOrder": [ + "4b6916be-5bf4-49da-80ec-16fab2491238", + "d135bce7-6aed-4a4b-9550-6d1bcfa5b134" + ], + "columns": { + "4b6916be-5bf4-49da-80ec-16fab2491238": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d135bce7-6aed-4a4b-9550-6d1bcfa5b134", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.vendor_action" + }, + "d135bce7-6aed-4a4b-9550-6d1bcfa5b134": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"content_scanner\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "4b6916be-5bf4-49da-80ec-16fab2491238" + ], + "layerId": "29be06db-aa85-4914-8578-266c2829069c", + "layerType": "data", + "legendDisplay": "default", + "metric": "d135bce7-6aed-4a4b-9550-6d1bcfa5b134", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Content Scanner Events by Vendor Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-d4a2bdf0-b527-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-29be06db-aa85-4914-8578-266c2829069c", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..d4bc745225e --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "28af0ace-bcd2-4e99-89aa-b01cac4be65f": { + "columnOrder": [ + "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca", + "02da5f04-8364-4341-b24b-4e381bde6404" + ], + "columns": { + "02da5f04-8364-4341-b24b-4e381bde6404": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Receiver", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "02da5f04-8364-4341-b24b-4e381bde6404", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "columns": [ + { + "columnId": "a5bedf0e-5e8a-4fb3-9be5-0980e2e39cca", + "isTransposed": false + }, + { + "columnId": "02da5f04-8364-4341-b24b-4e381bde6404", + "isTransposed": false + } + ], + "layerId": "28af0ace-bcd2-4e99-89aa-b01cac4be65f", + "layerType": "data" + } + }, + "title": "Top 10 Receivers [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-dabd1310-b578-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-28af0ace-bcd2-4e99-89aa-b01cac4be65f", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..3eacd714411 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "209d92c9-a130-4ba9-8e21-35662ea8c98e": { + "columnOrder": [ + "1a4f6e44-23c6-4726-988a-6706f595eda1", + "6fa0fc6c-efc2-42b1-96a1-78623735199e" + ], + "columns": { + "1a4f6e44-23c6-4726-988a-6706f595eda1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Upload Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "6fa0fc6c-efc2-42b1-96a1-78623735199e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.upload.action" + }, + "6fa0fc6c-efc2-42b1-96a1-78623735199e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "6fa0fc6c-efc2-42b1-96a1-78623735199e" + ], + "layerId": "209d92c9-a130-4ba9-8e21-35662ea8c98e", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "1a4f6e44-23c6-4726-988a-6706f595eda1" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of AMP Engine Events by Upload Action [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-dd1c3e90-b511-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-209d92c9-a130-4ba9-8e21-35662ea8c98e", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..44aa491de9c --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4": { + "columnOrder": [ + "90afc0e9-dee1-46ee-8e96-31602ed929cb", + "f0096080-5bb8-4acd-b43d-a5d459fbae24" + ], + "columns": { + "90afc0e9-dee1-46ee-8e96-31602ed929cb": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Network Protocol", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f0096080-5bb8-4acd-b43d-a5d459fbae24", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "network.protocol" + }, + "f0096080-5bb8-4acd-b43d-a5d459fbae24": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\" and cisco_secure_email_gateway.log.category.name : \"mail_logs\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "90afc0e9-dee1-46ee-8e96-31602ed929cb" + ], + "layerId": "cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4", + "layerType": "data", + "legendDisplay": "default", + "metric": "f0096080-5bb8-4acd-b43d-a5d459fbae24", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Network Protocol [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e36fdf40-b57a-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd41a4ab-14cf-4d2d-b6b1-d02e3d1ee5a4", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..3a0a7570ec7 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "cd9e61a8-35d1-4605-b150-d09bf82d3f00": { + "columnOrder": [ + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5", + "31cee9bf-5352-45fa-8574-6cec1a2790c3" + ], + "columns": { + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Content Filters Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "31cee9bf-5352-45fa-8574-6cec1a2790c3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.content_filter_verdict" + }, + "31cee9bf-5352-45fa-8574-6cec1a2790c3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "11d65fa4-175f-4cf6-8886-d85e8a9ed8f5" + ], + "layerId": "cd9e61a8-35d1-4605-b150-d09bf82d3f00", + "layerType": "data", + "legendDisplay": "default", + "metric": "31cee9bf-5352-45fa-8574-6cec1a2790c3", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Content Filters Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e4b913a0-b523-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-cd9e61a8-35d1-4605-b150-d09bf82d3f00", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..622bfe4ae29 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5534c705-73de-4482-818b-4b48acea0af1": { + "columnOrder": [ + "11a0d6ef-3389-4d51-9658-7ae3d39462a8", + "50ecfbc3-6f73-409e-8445-c8254e49b032" + ], + "columns": { + "11a0d6ef-3389-4d51-9658-7ae3d39462a8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Outbreak Filters Verdict", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "50ecfbc3-6f73-409e-8445-c8254e49b032", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.esa.outbreak_filter_verdict" + }, + "50ecfbc3-6f73-409e-8445-c8254e49b032": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "11a0d6ef-3389-4d51-9658-7ae3d39462a8" + ], + "layerId": "5534c705-73de-4482-818b-4b48acea0af1", + "layerType": "data", + "legendDisplay": "default", + "metric": "50ecfbc3-6f73-409e-8445-c8254e49b032", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Consolidated Events by Outbreak Filters Verdict [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-fdc9a620-b51e-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5534c705-73de-4482-818b-4b48acea0af1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json new file mode 100644 index 00000000000..b59e622a5b3 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/lens/cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "71b0750f-93db-4016-9294-b408f583b750": { + "columnOrder": [ + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b", + "45bb21c7-aa5f-4d67-a537-c878b32f0f23" + ], + "columns": { + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Message Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "45bb21c7-aa5f-4d67-a537-c878b32f0f23", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_secure_email_gateway.log.message_status" + }, + "45bb21c7-aa5f-4d67-a537-c878b32f0f23": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "13a1a6db-99d0-4b3d-a4cb-81539ecc9e0b" + ], + "layerId": "71b0750f-93db-4016-9294-b408f583b750", + "layerType": "data", + "legendDisplay": "default", + "metric": "45bb21c7-aa5f-4d67-a537-c878b32f0f23", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Text Mail Events by Message Status [Logs Cisco Secure Email Gateway]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-fdee0eb0-b579-11ec-aa3c-afc0e710666b", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-71b0750f-93db-4016-9294-b408f583b750", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..a212152ac55 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "Quarantine Process Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "867a9950-5f15-460a-98b4-9bb0eeec0d8d", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "e6a4bd49-6b02-49dc-8204-b4e4cee693b0", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.quarantine.load", + "id": "ad8aab01-a047-4608-9587-73f25a02c850", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Quarantine Process Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-0007c200-b00b-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..94498a7210d --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "CASE Scanning Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "1ca757e4-9986-4109-82f8-a18e8f68cd35", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "c9ea79ff-857a-4c19-8864-dd32d5ecb80d", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.case_ld", + "id": "633c2888-96a2-4c24-a93b-e647ced942ed", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "CASE Scanning Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-18e16930-b00a-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..0890100cee7 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,80 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "CPU Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "1af71592-86d8-4efb-b424-d6ecf7944ace", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "b509ab9e-7f7b-44f2-8ee6-258b88e17dfa", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.cpu.utilization", + "id": "4deb212e-daed-4c60-b947-aa33baeaa2a9", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "terms_field": "cisco_secure_email_gateway.log.cpu.utilization", + "terms_order_by": "_count", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "CPU Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-239adcd0-aff6-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..767336a5ebe --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "ba00a756-2315-4580-8c44-8daa6a4fe42c", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "a579bc05-7302-4698-a465-cc9c33326c93", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.disk_io", + "id": "bfc3259d-32c5-4aea-9581-14ae6945e2b0", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Disk I/O Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-607f8060-b000-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..dc1dcfd5314 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "Reporting Process Over Time [Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "706b3574-bdb3-4b5e-b60c-535ecba9d3ea", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "6a5040fa-12e2-4a8f-a1da-51c6a6dcf2cb", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.reporting_load", + "id": "4c616f23-37ef-433f-9642-8bf6502b479a", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Reporting Process Over Time [Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8e557710-b00a-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..a97766cdff0 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "Ram Utilization Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "f3f0956a-14bb-45c8-b03d-9bae49240821", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "cbb2c4b6-0c49-4fc3-814e-68a7c117ad7b", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.ram.utilization", + "id": "d665c81d-8a7d-48fd-9ff4-697bbd4dbceb", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Ram Utilization Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-8f476740-b001-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..f6427c09620 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "0f2aec48-9a36-4fe0-a4ad-5922a129b4c3", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "2c4e6b49-e60c-4d4d-b2c4-c443928f93d7", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.mcafee_ld", + "id": "4a343f0d-2f6d-437d-a702-9707ee05de91", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "McAfee Anti-Virus Scanning Over Time [Logs Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-a6ccb720-b002-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json new file mode 100644 index 00000000000..4f1e326c670 --- /dev/null +++ b/packages/cisco_secure_email_gateway/kibana/visualization/cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_secure_email_gateway.log\"" + } + } + }, + "title": "Sophos Anti-Virus Scanning Over Time [Cisco Secure Email Gateway]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "e8547150-1b72-456e-abb0-1f63a4c82e4a", + "index_pattern": "logs-*", + "interval": "", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "default", + "id": "4e1b5734-d731-4efe-85f7-cb7a6812819b", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "field": "cisco_secure_email_gateway.log.sophos_ld", + "id": "5b85a7fb-52f0-4f23-a808-07a23ae8157d", + "type": "avg" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_mode": "everything", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 1, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Sophos Anti-Virus Scanning Over Time [Cisco Secure Email Gateway]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "cisco_secure_email_gateway-e5d96bd0-b001-11ec-8a45-8d83ac55242a", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/cisco_secure_email_gateway/manifest.yml b/packages/cisco_secure_email_gateway/manifest.yml new file mode 100644 index 00000000000..613e1e10bc4 --- /dev/null +++ b/packages/cisco_secure_email_gateway/manifest.yml @@ -0,0 +1,38 @@ +format_version: 1.0.0 +name: cisco_secure_email_gateway +title: Cisco Secure Email Gateway +version: 0.1.0 +license: basic +description: Collect logs from Cisco Secure Email Gateway with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/cisco-secure-email-gateway-screenshot.png + title: Cisco Secure Email Gateway dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/cisco-logo.svg + title: Cisco logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Cisco Secure Email Gateway + title: Cisco Secure Email Gateway logs + description: Collect Cisco Secure Email Gateway logs. + inputs: + - type: logfile + title: Collect logs from Cisco Secure Email Gateway instances + description: Collecting Cisco Secure Email Gateway logs. + - type: tcp + title: Collect Cisco Secure Email Gateway logs via TCP input + description: Collecting Cisco Secure Email Gateway logs via TCP input. + - type: udp + title: Collect Cisco Secure Email Gateway logs via UDP input + description: Collecting Cisco Secure Email Gateway logs via UDP input. +owner: + github: elastic/security-external-integrations