diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log index 7778657771d..c81de2326d4 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log @@ -20,7 +20,7 @@ {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:27Z","query_name":"amazonlinux-2-repos-us-east-1.s3.us-east-1.amazonaws.com.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"s3-r-w.us-east-1.amazonaws.com.","Type":"CNAME","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"44474","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:39Z","query_name":"156.20.160.89.in-addr.arpa.","query_type":"PTR","query_class":"IN","rcode":"NXDOMAIN","answers":[],"srcaddr":"172.31.86.160","srcport":"59464","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} -{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} | +{"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"2.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:f1::1","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:3803:1::6","Type":"AAAA","Class":"IN"},{"Rdata":"2a02:cf40:1560:8003::c7","Type":"AAAA","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"49167","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"AAAA","query_class":"IN","rcode":"NOERROR","answers":[],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"0.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.13","Type":"A","Class":"IN"},{"Rdata":"216.160.83.57","Type":"A","Class":"IN"},{"Rdata":"216.160.83.61","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"51725","transport":"UDP","srcids":{}} {"version":"1.100000","account_id":"626345947581","region":"us-east-1","vpc_id":"vpc-01e31a7c","query_timestamp":"2021-12-11T22:46:49Z","query_name":"1.amazon.pool.ntp.org.","query_type":"A","query_class":"IN","rcode":"NOERROR","answers":[{"Rdata":"175.16.199.1","Type":"A","Class":"IN"},{"Rdata":"81.2.69.143","Type":"A","Class":"IN"},{"Rdata":"67.43.156.12","Type":"A","Class":"IN"},{"Rdata":"175.16.199.1","Type":"A","Class":"IN"}],"srcaddr":"172.31.86.159","srcport":"46159","transport":"UDP","srcids":{}} diff --git a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json index ac43f06237e..e727e701d42 100644 --- a/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json +++ b/packages/aws/data_stream/route53_resolver_logs/_dev/test/pipeline/test-route53.log-expected.json @@ -1437,7 +1437,7 @@ "network" ], "kind": "event", - "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}} |", + "original": "{\"version\":\"1.100000\",\"account_id\":\"626345947581\",\"region\":\"us-east-1\",\"vpc_id\":\"vpc-01e31a7c\",\"query_timestamp\":\"2021-12-11T22:46:49Z\",\"query_name\":\"2.amazon.pool.ntp.org.\",\"query_type\":\"AAAA\",\"query_class\":\"IN\",\"rcode\":\"NOERROR\",\"answers\":[{\"Rdata\":\"2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:f1::1\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:3803:1::6\",\"Type\":\"AAAA\",\"Class\":\"IN\"},{\"Rdata\":\"2a02:cf40:1560:8003::c7\",\"Type\":\"AAAA\",\"Class\":\"IN\"}],\"srcaddr\":\"172.31.86.159\",\"srcport\":\"49167\",\"transport\":\"UDP\",\"srcids\":{}}", "outcome": "success", "type": [ "protocol" diff --git a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log index 1a5b17296c3..c50437e2e36 100644 --- a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log +++ b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log @@ -1 +1 @@ -{ "command": "status format=json", "outb": {"fsid":"71bb7c52-360c-410a-9847-717e1483a05f","health":{"checks":{"OSD_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 osds down"}},"OSD_HOST_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 host (1 osds) down"}},"PG_DEGRADED":{"severity":"HEALTH_WARN","summary":{"message":"Degraded data redundancy: 148/222 objects degraded (66.667%), 33 pgs degraded, 328 pgs undersized"}},"POOL_TOO_FEW_PGS":{"severity":"HEALTH_WARN","summary":{"message":"1 pools have too few placement groups"}},"POOL_TOO_MANY_PGS":{"severity":"HEALTH_WARN","summary":{"message":"2 pools have too many placement groups"}}},"status":"HEALTH_WARN"},"election_epoch":19,"quorum":[0],"quorum_names":["master"],"quorum_age":184768,"monmap":{"epoch":2,"min_mon_release_name":"14","num_mons":1},"osdmap":{"osdmap":{"epoch":114,"num_osds":4,"num_up_osds":1,"num_in_osds":2,"num_remapped_pgs":0}},"pgmap":{"pgs_by_state":[{"state_name":"active+undersized","count":295},{"state_name":"active+undersized+degraded","count":33}],"num_pgs":328,"num_pools":5,"num_objects":74,"data_bytes":145064680,"bytes_used":1239285760,"bytes_avail":20231356416,"bytes_total":21470642176,"degraded_objects":148,"degraded_total":222,"degraded_ratio":0.66666666666666652,"read_bytes_sec":1738015,"write_bytes_sec":2543437,"read_op_per_sec":3,"write_op_per_sec":4},"fsmap":{"epoch":1,"by_rank":[],"up:standby":0},"services":{"dashboard":"https://master.29053.local:8443/","restful":"https://master.29053.local:8003/"},"always_on_modules":{"nautilus":["balancer","crash","devicehealth","orchestrator_cli","progress","rbd_support","status","volumes"]}},"servicemap":{"epoch":6072,"modified":"2023-02-08 16:02:26.086357","services":{}},"progress_events":{}}, "outs": "" } \ No newline at end of file +{ "command": "status format=json", "outb": {"fsid":"71bb7c52-360c-410a-9847-717e1483a05f","health":{"checks":{"OSD_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 osds down"}},"OSD_HOST_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 host (1 osds) down"}},"PG_DEGRADED":{"severity":"HEALTH_WARN","summary":{"message":"Degraded data redundancy: 148/222 objects degraded (66.667%), 33 pgs degraded, 328 pgs undersized"}},"POOL_TOO_FEW_PGS":{"severity":"HEALTH_WARN","summary":{"message":"1 pools have too few placement groups"}},"POOL_TOO_MANY_PGS":{"severity":"HEALTH_WARN","summary":{"message":"2 pools have too many placement groups"}}},"status":"HEALTH_WARN"},"election_epoch":19,"quorum":[0],"quorum_names":["master"],"quorum_age":184768,"monmap":{"epoch":2,"min_mon_release_name":"14","num_mons":1},"osdmap":{"osdmap":{"epoch":114,"num_osds":4,"num_up_osds":1,"num_in_osds":2,"num_remapped_pgs":0}},"pgmap":{"pgs_by_state":[{"state_name":"active+undersized","count":295},{"state_name":"active+undersized+degraded","count":33}],"num_pgs":328,"num_pools":5,"num_objects":74,"data_bytes":145064680,"bytes_used":1239285760,"bytes_avail":20231356416,"bytes_total":21470642176,"degraded_objects":148,"degraded_total":222,"degraded_ratio":0.66666666666666652,"read_bytes_sec":1738015,"write_bytes_sec":2543437,"read_op_per_sec":3,"write_op_per_sec":4},"fsmap":{"epoch":1,"by_rank":[],"up:standby":0},"services":{"dashboard":"https://master.29053.local:8443/","restful":"https://master.29053.local:8003/"},"always_on_modules":{"nautilus":["balancer","crash","devicehealth","orchestrator_cli","progress","rbd_support","status","volumes"]}},"servicemap":{"epoch":6072,"modified":"2023-02-08 16:02:26.086357","services":{}},"progress_events":{}, "outs": "" } \ No newline at end of file diff --git a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log-expected.json b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log-expected.json index 73590ecbd9c..cb404904647 100644 --- a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log-expected.json +++ b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-nautilus.log-expected.json @@ -83,7 +83,7 @@ "event": { "kind": "metric", "module": "ceph", - "original": "{ \"command\": \"status format=json\", \"outb\": {\"fsid\":\"71bb7c52-360c-410a-9847-717e1483a05f\",\"health\":{\"checks\":{\"OSD_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 osds down\"}},\"OSD_HOST_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 host (1 osds) down\"}},\"PG_DEGRADED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"Degraded data redundancy: 148/222 objects degraded (66.667%), 33 pgs degraded, 328 pgs undersized\"}},\"POOL_TOO_FEW_PGS\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 pools have too few placement groups\"}},\"POOL_TOO_MANY_PGS\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"2 pools have too many placement groups\"}}},\"status\":\"HEALTH_WARN\"},\"election_epoch\":19,\"quorum\":[0],\"quorum_names\":[\"master\"],\"quorum_age\":184768,\"monmap\":{\"epoch\":2,\"min_mon_release_name\":\"14\",\"num_mons\":1},\"osdmap\":{\"osdmap\":{\"epoch\":114,\"num_osds\":4,\"num_up_osds\":1,\"num_in_osds\":2,\"num_remapped_pgs\":0}},\"pgmap\":{\"pgs_by_state\":[{\"state_name\":\"active+undersized\",\"count\":295},{\"state_name\":\"active+undersized+degraded\",\"count\":33}],\"num_pgs\":328,\"num_pools\":5,\"num_objects\":74,\"data_bytes\":145064680,\"bytes_used\":1239285760,\"bytes_avail\":20231356416,\"bytes_total\":21470642176,\"degraded_objects\":148,\"degraded_total\":222,\"degraded_ratio\":0.66666666666666652,\"read_bytes_sec\":1738015,\"write_bytes_sec\":2543437,\"read_op_per_sec\":3,\"write_op_per_sec\":4},\"fsmap\":{\"epoch\":1,\"by_rank\":[],\"up:standby\":0},\"services\":{\"dashboard\":\"https://master.29053.local:8443/\",\"restful\":\"https://master.29053.local:8003/\"},\"always_on_modules\":{\"nautilus\":[\"balancer\",\"crash\",\"devicehealth\",\"orchestrator_cli\",\"progress\",\"rbd_support\",\"status\",\"volumes\"]}},\"servicemap\":{\"epoch\":6072,\"modified\":\"2023-02-08 16:02:26.086357\",\"services\":{}},\"progress_events\":{}}, \"outs\": \"\" }", + "original": "{ \"command\": \"status format=json\", \"outb\": {\"fsid\":\"71bb7c52-360c-410a-9847-717e1483a05f\",\"health\":{\"checks\":{\"OSD_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 osds down\"}},\"OSD_HOST_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 host (1 osds) down\"}},\"PG_DEGRADED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"Degraded data redundancy: 148/222 objects degraded (66.667%), 33 pgs degraded, 328 pgs undersized\"}},\"POOL_TOO_FEW_PGS\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 pools have too few placement groups\"}},\"POOL_TOO_MANY_PGS\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"2 pools have too many placement groups\"}}},\"status\":\"HEALTH_WARN\"},\"election_epoch\":19,\"quorum\":[0],\"quorum_names\":[\"master\"],\"quorum_age\":184768,\"monmap\":{\"epoch\":2,\"min_mon_release_name\":\"14\",\"num_mons\":1},\"osdmap\":{\"osdmap\":{\"epoch\":114,\"num_osds\":4,\"num_up_osds\":1,\"num_in_osds\":2,\"num_remapped_pgs\":0}},\"pgmap\":{\"pgs_by_state\":[{\"state_name\":\"active+undersized\",\"count\":295},{\"state_name\":\"active+undersized+degraded\",\"count\":33}],\"num_pgs\":328,\"num_pools\":5,\"num_objects\":74,\"data_bytes\":145064680,\"bytes_used\":1239285760,\"bytes_avail\":20231356416,\"bytes_total\":21470642176,\"degraded_objects\":148,\"degraded_total\":222,\"degraded_ratio\":0.66666666666666652,\"read_bytes_sec\":1738015,\"write_bytes_sec\":2543437,\"read_op_per_sec\":3,\"write_op_per_sec\":4},\"fsmap\":{\"epoch\":1,\"by_rank\":[],\"up:standby\":0},\"services\":{\"dashboard\":\"https://master.29053.local:8443/\",\"restful\":\"https://master.29053.local:8003/\"},\"always_on_modules\":{\"nautilus\":[\"balancer\",\"crash\",\"devicehealth\",\"orchestrator_cli\",\"progress\",\"rbd_support\",\"status\",\"volumes\"]}},\"servicemap\":{\"epoch\":6072,\"modified\":\"2023-02-08 16:02:26.086357\",\"services\":{}},\"progress_events\":{}, \"outs\": \"\" }", "type": [ "info" ] diff --git a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log index 3aff0c61165..1d7da9816a3 100644 --- a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log +++ b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log @@ -1 +1 @@ -{ "command": "status format=json", "outb": {"fsid":"72840c24-3a82-4e28-be87-cf9f905918fb","health":{"status":"HEALTH_WARN","checks":{"OSD_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 osds down","count":1},"muted":false},"OSD_HOST_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 host (1 osds) down","count":1},"muted":false},"PG_DEGRADED":{"severity":"HEALTH_WARN","summary":{"message":"Degraded data redundancy: 7/30 objects degraded (23.333%), 7 pgs degraded, 65 pgs undersized","count":72},"muted":false},"POOL_APP_NOT_ENABLED":{"severity":"HEALTH_WARN","summary":{"message":"1 pool(s) do not have an application enabled","count":1},"muted":false}},"mutes":[]},"election_epoch":9,"quorum":[0],"quorum_names":["node01"],"quorum_age":1879106,"monmap":{"epoch":2,"min_mon_release_name":"octopus","num_mons":1},"osdmap":{"epoch":900,"num_osds":6,"num_up_osds":3,"osd_up_since":1674808261,"num_in_osds":4,"osd_in_since":1672393287,"num_remapped_pgs":0},"pgmap":{"pgs_by_state":[{"state_name":"active+undersized","count":58},{"state_name":"active+clean","count":31},{"state_name":"active+undersized+degraded","count":7}],"num_pgs":96,"num_pools":3,"num_objects":10,"data_bytes":518577,"bytes_used":4643487744,"bytes_avail":81239080960,"bytes_total":85882568704,"degraded_objects":7,"degraded_total":30,"degraded_ratio":0.23333333333333331,"read_bytes_sec":0,"write_bytes_sec":317149,"read_op_per_sec":1,"write_op_per_sec":4},"fsmap":{"epoch":1,"by_rank":[],"up:standby":0},"services":{"dashboard":"https://node01.cheftest.local:8443/","prometheus":"http://node01.cheftest.local:9283/","restful":"https://127.0.0.1:8003/"}},"servicemap":{"epoch":9045,"modified":"2023-01-31T07:02:01.047615+0000","services":{}},"progress_events":{}}, "outs": "" } \ No newline at end of file +{ "command": "status format=json", "outb": {"fsid":"72840c24-3a82-4e28-be87-cf9f905918fb","health":{"status":"HEALTH_WARN","checks":{"OSD_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 osds down","count":1},"muted":false},"OSD_HOST_DOWN":{"severity":"HEALTH_WARN","summary":{"message":"1 host (1 osds) down","count":1},"muted":false},"PG_DEGRADED":{"severity":"HEALTH_WARN","summary":{"message":"Degraded data redundancy: 7/30 objects degraded (23.333%), 7 pgs degraded, 65 pgs undersized","count":72},"muted":false},"POOL_APP_NOT_ENABLED":{"severity":"HEALTH_WARN","summary":{"message":"1 pool(s) do not have an application enabled","count":1},"muted":false}},"mutes":[]},"election_epoch":9,"quorum":[0],"quorum_names":["node01"],"quorum_age":1879106,"monmap":{"epoch":2,"min_mon_release_name":"octopus","num_mons":1},"osdmap":{"epoch":900,"num_osds":6,"num_up_osds":3,"osd_up_since":1674808261,"num_in_osds":4,"osd_in_since":1672393287,"num_remapped_pgs":0},"pgmap":{"pgs_by_state":[{"state_name":"active+undersized","count":58},{"state_name":"active+clean","count":31},{"state_name":"active+undersized+degraded","count":7}],"num_pgs":96,"num_pools":3,"num_objects":10,"data_bytes":518577,"bytes_used":4643487744,"bytes_avail":81239080960,"bytes_total":85882568704,"degraded_objects":7,"degraded_total":30,"degraded_ratio":0.23333333333333331,"read_bytes_sec":0,"write_bytes_sec":317149,"read_op_per_sec":1,"write_op_per_sec":4},"fsmap":{"epoch":1,"by_rank":[],"up:standby":0},"services":{"dashboard":"https://node01.cheftest.local:8443/","prometheus":"http://node01.cheftest.local:9283/","restful":"https://127.0.0.1:8003/"}},"servicemap":{"epoch":9045,"modified":"2023-01-31T07:02:01.047615+0000","services":{}},"progress_events":{}, "outs": "" } \ No newline at end of file diff --git a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log-expected.json b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log-expected.json index ebf1a86f96f..6bda956e50e 100644 --- a/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log-expected.json +++ b/packages/ceph/data_stream/cluster_status/_dev/test/pipeline/test-cluster-status-metrics-octopus.log-expected.json @@ -87,7 +87,7 @@ "event": { "kind": "metric", "module": "ceph", - "original": "{ \"command\": \"status format=json\", \"outb\": {\"fsid\":\"72840c24-3a82-4e28-be87-cf9f905918fb\",\"health\":{\"status\":\"HEALTH_WARN\",\"checks\":{\"OSD_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 osds down\",\"count\":1},\"muted\":false},\"OSD_HOST_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 host (1 osds) down\",\"count\":1},\"muted\":false},\"PG_DEGRADED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"Degraded data redundancy: 7/30 objects degraded (23.333%), 7 pgs degraded, 65 pgs undersized\",\"count\":72},\"muted\":false},\"POOL_APP_NOT_ENABLED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 pool(s) do not have an application enabled\",\"count\":1},\"muted\":false}},\"mutes\":[]},\"election_epoch\":9,\"quorum\":[0],\"quorum_names\":[\"node01\"],\"quorum_age\":1879106,\"monmap\":{\"epoch\":2,\"min_mon_release_name\":\"octopus\",\"num_mons\":1},\"osdmap\":{\"epoch\":900,\"num_osds\":6,\"num_up_osds\":3,\"osd_up_since\":1674808261,\"num_in_osds\":4,\"osd_in_since\":1672393287,\"num_remapped_pgs\":0},\"pgmap\":{\"pgs_by_state\":[{\"state_name\":\"active+undersized\",\"count\":58},{\"state_name\":\"active+clean\",\"count\":31},{\"state_name\":\"active+undersized+degraded\",\"count\":7}],\"num_pgs\":96,\"num_pools\":3,\"num_objects\":10,\"data_bytes\":518577,\"bytes_used\":4643487744,\"bytes_avail\":81239080960,\"bytes_total\":85882568704,\"degraded_objects\":7,\"degraded_total\":30,\"degraded_ratio\":0.23333333333333331,\"read_bytes_sec\":0,\"write_bytes_sec\":317149,\"read_op_per_sec\":1,\"write_op_per_sec\":4},\"fsmap\":{\"epoch\":1,\"by_rank\":[],\"up:standby\":0},\"services\":{\"dashboard\":\"https://node01.cheftest.local:8443/\",\"prometheus\":\"http://node01.cheftest.local:9283/\",\"restful\":\"https://127.0.0.1:8003/\"}},\"servicemap\":{\"epoch\":9045,\"modified\":\"2023-01-31T07:02:01.047615+0000\",\"services\":{}},\"progress_events\":{}}, \"outs\": \"\" }", + "original": "{ \"command\": \"status format=json\", \"outb\": {\"fsid\":\"72840c24-3a82-4e28-be87-cf9f905918fb\",\"health\":{\"status\":\"HEALTH_WARN\",\"checks\":{\"OSD_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 osds down\",\"count\":1},\"muted\":false},\"OSD_HOST_DOWN\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 host (1 osds) down\",\"count\":1},\"muted\":false},\"PG_DEGRADED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"Degraded data redundancy: 7/30 objects degraded (23.333%), 7 pgs degraded, 65 pgs undersized\",\"count\":72},\"muted\":false},\"POOL_APP_NOT_ENABLED\":{\"severity\":\"HEALTH_WARN\",\"summary\":{\"message\":\"1 pool(s) do not have an application enabled\",\"count\":1},\"muted\":false}},\"mutes\":[]},\"election_epoch\":9,\"quorum\":[0],\"quorum_names\":[\"node01\"],\"quorum_age\":1879106,\"monmap\":{\"epoch\":2,\"min_mon_release_name\":\"octopus\",\"num_mons\":1},\"osdmap\":{\"epoch\":900,\"num_osds\":6,\"num_up_osds\":3,\"osd_up_since\":1674808261,\"num_in_osds\":4,\"osd_in_since\":1672393287,\"num_remapped_pgs\":0},\"pgmap\":{\"pgs_by_state\":[{\"state_name\":\"active+undersized\",\"count\":58},{\"state_name\":\"active+clean\",\"count\":31},{\"state_name\":\"active+undersized+degraded\",\"count\":7}],\"num_pgs\":96,\"num_pools\":3,\"num_objects\":10,\"data_bytes\":518577,\"bytes_used\":4643487744,\"bytes_avail\":81239080960,\"bytes_total\":85882568704,\"degraded_objects\":7,\"degraded_total\":30,\"degraded_ratio\":0.23333333333333331,\"read_bytes_sec\":0,\"write_bytes_sec\":317149,\"read_op_per_sec\":1,\"write_op_per_sec\":4},\"fsmap\":{\"epoch\":1,\"by_rank\":[],\"up:standby\":0},\"services\":{\"dashboard\":\"https://node01.cheftest.local:8443/\",\"prometheus\":\"http://node01.cheftest.local:9283/\",\"restful\":\"https://127.0.0.1:8003/\"}},\"servicemap\":{\"epoch\":9045,\"modified\":\"2023-01-31T07:02:01.047615+0000\",\"services\":{}},\"progress_events\":{}, \"outs\": \"\" }", "type": [ "info" ] diff --git a/packages/citrix_adc/changelog.yml b/packages/citrix_adc/changelog.yml index ad93188e7e4..0e510dad303 100644 --- a/packages/citrix_adc/changelog.yml +++ b/packages/citrix_adc/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.2" + changes: + - description: Fix all mapping of type float to double + type: bugfix + link: https://github.com/elastic/integrations/pull/5910 - version: "0.5.1" changes: - description: Added categories and/or subcategories. diff --git a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json index fb7c8f647b1..00aa529c3c6 100644 --- a/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/interface/_dev/test/pipeline/test-interface-metrics.log-expected.json @@ -83,7 +83,7 @@ "received": { "bytes": { "rate": 3868, - "value": 1.40800896E9 + "value": 1.408008939E9 } }, "stalled": { @@ -93,7 +93,7 @@ "transmitted": { "bytes": { "rate": 2016, - "value": 9.1656115E8 + "value": 9.16561177E8 } } } diff --git a/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml index e8aa453b4fb..337dc8f6039 100644 --- a/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/interface/elasticsearch/ingest_pipeline/default.yml @@ -140,113 +140,113 @@ processors: if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" ignore_missing: true ignore_failure: true - # Renaming and converting fields to float + # Renaming and converting fields to double - convert: field: json.nicerrdisables target_field: citrix_adc.interface.disabled.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.nicrxstalls target_field: citrix_adc.interface.stalled.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totrxbytes target_field: citrix_adc.interface.received.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.tottxbytes target_field: citrix_adc.interface.transmitted.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totrxpkts target_field: citrix_adc.interface.packets.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.jumbopktsreceived target_field: citrix_adc.interface.packets.received.jumbo.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.trunkpktsreceived target_field: citrix_adc.interface.packets.received.tagged.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.nictotmulticastpkts target_field: citrix_adc.interface.packets.received.multicast.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.errdroppedtxpkts target_field: citrix_adc.interface.packets.transmission.dropped.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.tottxpkts target_field: citrix_adc.interface.packets.transmitted.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.jumbopktstransmitted target_field: citrix_adc.interface.packets.transmitted.jumbo.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.trunkpktstransmitted target_field: citrix_adc.interface.packets.transmitted.tagged.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.errdroppedrxpkts target_field: citrix_adc.interface.packets.inbound.dropped.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.errifindiscards target_field: citrix_adc.interface.packets.inbound.error_free.discarded.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.errpktrx target_field: citrix_adc.interface.packets.inbound.dropped_by_hardware.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.errpkttx target_field: citrix_adc.interface.packets.outbound.dropped_by_hardware.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.nicerrifoutdiscards target_field: citrix_adc.interface.packets.outbound.error_free.discarded.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totmacmoved target_field: citrix_adc.interface.mac.moved.count - type: float + type: double ignore_missing: true ignore_failure: true - script: diff --git a/packages/citrix_adc/data_stream/interface/fields/fields.yml b/packages/citrix_adc/data_stream/interface/fields/fields.yml index be87ffdc303..7c13069daf6 100644 --- a/packages/citrix_adc/data_stream/interface/fields/fields.yml +++ b/packages/citrix_adc/data_stream/interface/fields/fields.yml @@ -5,7 +5,7 @@ type: group fields: - name: disabled.count - type: float + type: double description: Number of times the specified interface is disabled by the NetScaler. metric_type: counter - name: link @@ -24,11 +24,11 @@ type: group fields: - name: count - type: float + type: double description: Number of MAC moves between ports. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totmacmoved. metric_type: gauge - name: packets @@ -41,22 +41,22 @@ type: group fields: - name: count - type: float + type: double description: Number of inbound packets dropped by the hardware on a specified interface once the NetScaler appliance starts or the interface statistics are cleared. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for errpktrx. metric_type: gauge - name: dropped type: group fields: - name: count - type: float + type: double description: Number of inbound packets dropped by the specified interface. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for errdroppedrxpkts. metric_type: gauge - name: error_free @@ -66,11 +66,11 @@ type: group fields: - name: count - type: float + type: double description: Number of error-free inbound packets discarded by the specified interface due to a lack of resources. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for errifindiscards. metric_type: gauge - name: outbound @@ -80,11 +80,11 @@ type: group fields: - name: count - type: float + type: double description: Number of outbound packets dropped by the hardware on a specified interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for errpkttx. metric_type: gauge - name: error_free @@ -94,55 +94,55 @@ type: group fields: - name: count - type: float + type: double description: Number of error-free outbound packets discarded by the specified interface due to a lack of resources. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for nicerrifoutdiscards. metric_type: gauge - name: received type: group fields: - name: count - type: float + type: double description: Number of packets received by an interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter - name: jumbo type: group fields: - name: count - type: float + type: double description: Number of Jumbo Packets received on specified interface. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for jumbopktsreceived. metric_type: gauge - name: multicast type: group fields: - name: count - type: float + type: double description: Number of multicast packets received by the specified interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for nictotmulticastpkts. metric_type: gauge - name: rate - type: float + type: double description: Rate (/s) counter for totrxpkts. metric_type: gauge - name: tagged type: group fields: - name: count - type: float + type: double description: Number of Tagged Packets received on specified Trunk interface through Allowed VLan List. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for trunkpktsreceived. metric_type: gauge - name: transmission @@ -152,42 +152,42 @@ type: group fields: - name: count - type: float + type: double description: Number of packets dropped in transmission by the specified interface due to one of the following reasons. (1) VLAN mismatch. (2) Oversized packets. (3) Interface congestion. (4) Loopback packets sent on non loopback interface. - name: rate - type: float + type: double description: Rate (/s) counter for errdroppedtxpkts. - name: transmitted type: group fields: - name: count - type: float + type: double description: Number of packets transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter - name: jumbo type: group fields: - name: count - type: float + type: double description: Number of Jumbo packets transmitted on specified interface by upper layer, with TSO enabled actual trasmission size could be non Jumbo. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for jumbopktstransmitted. metric_type: gauge - name: rate - type: float + type: double description: Rate (/s) counter for tottxpkts. metric_type: gauge - name: tagged type: group fields: - name: count - type: float + type: double description: Number of Tagged Packets transmitted on specified Trunk interface through Allowed VLan List. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for trunkpktstransmitted. metric_type: gauge - name: received @@ -197,16 +197,16 @@ type: group fields: - name: rate - type: float + type: double description: Rate (/s) counter for totrxbytes. metric_type: gauge - name: value - type: float + type: double description: Number of bytes received by an interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter unit: byte - name: stalled.count - type: float + type: double description: Number of times the interface stalled, when receiving packets, since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter - name: state @@ -219,11 +219,11 @@ type: group fields: - name: rate - type: float + type: double description: Rate (/s) counter for tottxbytes. metric_type: gauge - name: value - type: float + type: double description: Number of bytes transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. metric_type: counter unit: byte diff --git a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log index 85c9d8c9e42..2dcb6c3d715 100644 --- a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log +++ b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log @@ -1 +1,2 @@ -{"name":"cpx_default_dns_vserver","avgcltttlb":"4","cltresponsetimeapdex":1,"vsvrsurgecount":"4","establishedconn":"4","inactsvcs":"1","vslbhealth":"67","primaryipaddress":"0.0.0.0","primaryport":0,"type":"DNS","state":"UP","actsvcs":"2","cpuusagepm":"10","tothits":"10","hitsrate":10,"totalrequests":"10","requestsrate":10,"totalresponses":"2","responsesrate":2,"totalrequestbytes":"2","requestbytesrate":2,"totalresponsebytes":"6","responsebytesrate":6,"totalh2requests":"6","h2requestsrate":6,"totalh2responses":"7","h2responsesrate":7,"totalpktsrecvd":"7","pktsrecvdrate":7,"totalpktssent":"8","pktssentrate":8,"curclntconnections":"8","cursrvrconnections":"8","curpersistencesessions":"9","curbackuppersistencesessions":"9","surgecount":"9","svcsurgecount":"9","sothreshold":"11","totspillovers":"11","labelledconn":"11","pushlabel":"11","deferredreq":"1","deferredreqrate":1,"invalidrequestresponse":"1","invalidrequestresponsedropped":"0","totvserverdownbackuphits":"0","curmptcpsessions":"0","cursubflowconn":"0","totalconnreassemblyqueue75":"0","totalconnreassemblyqueueflush":"0","totalsvrbusyerr":"0","svrbusyerrrate":0,"reqretrycount":"0","reqretrycountexceeded":"0","httpmaxhdrszpkts":"0","tcpmaxooopkts":"0","totcltttlbtransactions":"0","cltttlbtransactionsrate":0,"toleratingttlbtransactions":"0","toleratingttlbtransactionsrate":0,"frustratingttlbtransactions":"0","frustratingttlbtransactionsrate":0},{"name":"cpx_default_dns_tcp_vserver","avgcltttlb":"0","cltresponsetimeapdex":1,"vsvrsurgecount":"0","establishedconn":"0","inactsvcs":"1","vslbhealth":"67","primaryipaddress":"0.0.0.0","primaryport":0,"type":"DNS_TCP","state":"UP","actsvcs":"2","cpuusagepm":"0","tothits":"0","hitsrate":0,"totalrequests":"0","requestsrate":0,"totalresponses":"0","responsesrate":0,"totalrequestbytes":"0","requestbytesrate":0,"totalresponsebytes":"0","responsebytesrate":0,"totalh2requests":"0","h2requestsrate":0,"totalh2responses":"0","h2responsesrate":0,"totalpktsrecvd":"0","pktsrecvdrate":0,"totalpktssent":"0","pktssentrate":0,"curclntconnections":"0","cursrvrconnections":"0","curpersistencesessions":"0","curbackuppersistencesessions":"0","surgecount":"0","svcsurgecount":"0","sothreshold":"0","totspillovers":"0","labelledconn":"0","pushlabel":"0","deferredreq":"0","deferredreqrate":0,"invalidrequestresponse":"0","invalidrequestresponsedropped":"0","totvserverdownbackuphits":"0","curmptcpsessions":"0","cursubflowconn":"0","totalconnreassemblyqueue75":"0","totalconnreassemblyqueueflush":"0","totalsvrbusyerr":"0","svrbusyerrrate":0,"reqretrycount":"0","reqretrycountexceeded":"0","httpmaxhdrszpkts":"0","tcpmaxooopkts":"0","totcltttlbtransactions":"0","cltttlbtransactionsrate":0,"toleratingttlbtransactions":"0","toleratingttlbtransactionsrate":0,"frustratingttlbtransactions":"0","frustratingttlbtransactionsrate":0} \ No newline at end of file +{"name":"cpx_default_dns_vserver","avgcltttlb":"4","cltresponsetimeapdex":1,"vsvrsurgecount":"4","establishedconn":"4","inactsvcs":"1","vslbhealth":"67","primaryipaddress":"0.0.0.0","primaryport":0,"type":"DNS","state":"UP","actsvcs":"2","cpuusagepm":"10","tothits":"10","hitsrate":10,"totalrequests":"10","requestsrate":10,"totalresponses":"2","responsesrate":2,"totalrequestbytes":"2","requestbytesrate":2,"totalresponsebytes":"6","responsebytesrate":6,"totalh2requests":"6","h2requestsrate":6,"totalh2responses":"7","h2responsesrate":7,"totalpktsrecvd":"7","pktsrecvdrate":7,"totalpktssent":"8","pktssentrate":8,"curclntconnections":"8","cursrvrconnections":"8","curpersistencesessions":"9","curbackuppersistencesessions":"9","surgecount":"9","svcsurgecount":"9","sothreshold":"11","totspillovers":"11","labelledconn":"11","pushlabel":"11","deferredreq":"1","deferredreqrate":1,"invalidrequestresponse":"1","invalidrequestresponsedropped":"0","totvserverdownbackuphits":"0","curmptcpsessions":"0","cursubflowconn":"0","totalconnreassemblyqueue75":"0","totalconnreassemblyqueueflush":"0","totalsvrbusyerr":"0","svrbusyerrrate":0,"reqretrycount":"0","reqretrycountexceeded":"0","httpmaxhdrszpkts":"0","tcpmaxooopkts":"0","totcltttlbtransactions":"0","cltttlbtransactionsrate":0,"toleratingttlbtransactions":"0","toleratingttlbtransactionsrate":0,"frustratingttlbtransactions":"0","frustratingttlbtransactionsrate":0} +{"name":"cpx_default_dns_tcp_vserver","avgcltttlb":"0","cltresponsetimeapdex":1,"vsvrsurgecount":"0","establishedconn":"0","inactsvcs":"1","vslbhealth":"67","primaryipaddress":"0.0.0.0","primaryport":0,"type":"DNS_TCP","state":"UP","actsvcs":"2","cpuusagepm":"0","tothits":"0","hitsrate":0,"totalrequests":"0","requestsrate":0,"totalresponses":"0","responsesrate":0,"totalrequestbytes":"0","requestbytesrate":0,"totalresponsebytes":"0","responsebytesrate":0,"totalh2requests":"0","h2requestsrate":0,"totalh2responses":"0","h2responsesrate":0,"totalpktsrecvd":"0","pktsrecvdrate":0,"totalpktssent":"0","pktssentrate":0,"curclntconnections":"0","cursrvrconnections":"0","curpersistencesessions":"0","curbackuppersistencesessions":"0","surgecount":"0","svcsurgecount":"0","sothreshold":"0","totspillovers":"0","labelledconn":"0","pushlabel":"0","deferredreq":"0","deferredreqrate":0,"invalidrequestresponse":"0","invalidrequestresponsedropped":"0","totvserverdownbackuphits":"0","curmptcpsessions":"0","cursubflowconn":"0","totalconnreassemblyqueue75":"0","totalconnreassemblyqueueflush":"0","totalsvrbusyerr":"0","svrbusyerrrate":0,"reqretrycount":"0","reqretrycountexceeded":"0","httpmaxhdrszpkts":"0","tcpmaxooopkts":"0","totcltttlbtransactions":"0","cltttlbtransactionsrate":0,"toleratingttlbtransactions":"0","toleratingttlbtransactionsrate":0,"frustratingttlbtransactions":"0","frustratingttlbtransactionsrate":0} \ No newline at end of file diff --git a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json index 4cf8b84b92b..738138d426f 100644 --- a/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/lbvserver/_dev/test/pipeline/test-lbvserver-metrics.log-expected.json @@ -117,7 +117,142 @@ ], "kind": "event", "module": "citrix_adc", - "original": "{\"name\":\"cpx_default_dns_vserver\",\"avgcltttlb\":\"4\",\"cltresponsetimeapdex\":1,\"vsvrsurgecount\":\"4\",\"establishedconn\":\"4\",\"inactsvcs\":\"1\",\"vslbhealth\":\"67\",\"primaryipaddress\":\"0.0.0.0\",\"primaryport\":0,\"type\":\"DNS\",\"state\":\"UP\",\"actsvcs\":\"2\",\"cpuusagepm\":\"10\",\"tothits\":\"10\",\"hitsrate\":10,\"totalrequests\":\"10\",\"requestsrate\":10,\"totalresponses\":\"2\",\"responsesrate\":2,\"totalrequestbytes\":\"2\",\"requestbytesrate\":2,\"totalresponsebytes\":\"6\",\"responsebytesrate\":6,\"totalh2requests\":\"6\",\"h2requestsrate\":6,\"totalh2responses\":\"7\",\"h2responsesrate\":7,\"totalpktsrecvd\":\"7\",\"pktsrecvdrate\":7,\"totalpktssent\":\"8\",\"pktssentrate\":8,\"curclntconnections\":\"8\",\"cursrvrconnections\":\"8\",\"curpersistencesessions\":\"9\",\"curbackuppersistencesessions\":\"9\",\"surgecount\":\"9\",\"svcsurgecount\":\"9\",\"sothreshold\":\"11\",\"totspillovers\":\"11\",\"labelledconn\":\"11\",\"pushlabel\":\"11\",\"deferredreq\":\"1\",\"deferredreqrate\":1,\"invalidrequestresponse\":\"1\",\"invalidrequestresponsedropped\":\"0\",\"totvserverdownbackuphits\":\"0\",\"curmptcpsessions\":\"0\",\"cursubflowconn\":\"0\",\"totalconnreassemblyqueue75\":\"0\",\"totalconnreassemblyqueueflush\":\"0\",\"totalsvrbusyerr\":\"0\",\"svrbusyerrrate\":0,\"reqretrycount\":\"0\",\"reqretrycountexceeded\":\"0\",\"httpmaxhdrszpkts\":\"0\",\"tcpmaxooopkts\":\"0\",\"totcltttlbtransactions\":\"0\",\"cltttlbtransactionsrate\":0,\"toleratingttlbtransactions\":\"0\",\"toleratingttlbtransactionsrate\":0,\"frustratingttlbtransactions\":\"0\",\"frustratingttlbtransactionsrate\":0},{\"name\":\"cpx_default_dns_tcp_vserver\",\"avgcltttlb\":\"0\",\"cltresponsetimeapdex\":1,\"vsvrsurgecount\":\"0\",\"establishedconn\":\"0\",\"inactsvcs\":\"1\",\"vslbhealth\":\"67\",\"primaryipaddress\":\"0.0.0.0\",\"primaryport\":0,\"type\":\"DNS_TCP\",\"state\":\"UP\",\"actsvcs\":\"2\",\"cpuusagepm\":\"0\",\"tothits\":\"0\",\"hitsrate\":0,\"totalrequests\":\"0\",\"requestsrate\":0,\"totalresponses\":\"0\",\"responsesrate\":0,\"totalrequestbytes\":\"0\",\"requestbytesrate\":0,\"totalresponsebytes\":\"0\",\"responsebytesrate\":0,\"totalh2requests\":\"0\",\"h2requestsrate\":0,\"totalh2responses\":\"0\",\"h2responsesrate\":0,\"totalpktsrecvd\":\"0\",\"pktsrecvdrate\":0,\"totalpktssent\":\"0\",\"pktssentrate\":0,\"curclntconnections\":\"0\",\"cursrvrconnections\":\"0\",\"curpersistencesessions\":\"0\",\"curbackuppersistencesessions\":\"0\",\"surgecount\":\"0\",\"svcsurgecount\":\"0\",\"sothreshold\":\"0\",\"totspillovers\":\"0\",\"labelledconn\":\"0\",\"pushlabel\":\"0\",\"deferredreq\":\"0\",\"deferredreqrate\":0,\"invalidrequestresponse\":\"0\",\"invalidrequestresponsedropped\":\"0\",\"totvserverdownbackuphits\":\"0\",\"curmptcpsessions\":\"0\",\"cursubflowconn\":\"0\",\"totalconnreassemblyqueue75\":\"0\",\"totalconnreassemblyqueueflush\":\"0\",\"totalsvrbusyerr\":\"0\",\"svrbusyerrrate\":0,\"reqretrycount\":\"0\",\"reqretrycountexceeded\":\"0\",\"httpmaxhdrszpkts\":\"0\",\"tcpmaxooopkts\":\"0\",\"totcltttlbtransactions\":\"0\",\"cltttlbtransactionsrate\":0,\"toleratingttlbtransactions\":\"0\",\"toleratingttlbtransactionsrate\":0,\"frustratingttlbtransactions\":\"0\",\"frustratingttlbtransactionsrate\":0}", + "original": "{\"name\":\"cpx_default_dns_vserver\",\"avgcltttlb\":\"4\",\"cltresponsetimeapdex\":1,\"vsvrsurgecount\":\"4\",\"establishedconn\":\"4\",\"inactsvcs\":\"1\",\"vslbhealth\":\"67\",\"primaryipaddress\":\"0.0.0.0\",\"primaryport\":0,\"type\":\"DNS\",\"state\":\"UP\",\"actsvcs\":\"2\",\"cpuusagepm\":\"10\",\"tothits\":\"10\",\"hitsrate\":10,\"totalrequests\":\"10\",\"requestsrate\":10,\"totalresponses\":\"2\",\"responsesrate\":2,\"totalrequestbytes\":\"2\",\"requestbytesrate\":2,\"totalresponsebytes\":\"6\",\"responsebytesrate\":6,\"totalh2requests\":\"6\",\"h2requestsrate\":6,\"totalh2responses\":\"7\",\"h2responsesrate\":7,\"totalpktsrecvd\":\"7\",\"pktsrecvdrate\":7,\"totalpktssent\":\"8\",\"pktssentrate\":8,\"curclntconnections\":\"8\",\"cursrvrconnections\":\"8\",\"curpersistencesessions\":\"9\",\"curbackuppersistencesessions\":\"9\",\"surgecount\":\"9\",\"svcsurgecount\":\"9\",\"sothreshold\":\"11\",\"totspillovers\":\"11\",\"labelledconn\":\"11\",\"pushlabel\":\"11\",\"deferredreq\":\"1\",\"deferredreqrate\":1,\"invalidrequestresponse\":\"1\",\"invalidrequestresponsedropped\":\"0\",\"totvserverdownbackuphits\":\"0\",\"curmptcpsessions\":\"0\",\"cursubflowconn\":\"0\",\"totalconnreassemblyqueue75\":\"0\",\"totalconnreassemblyqueueflush\":\"0\",\"totalsvrbusyerr\":\"0\",\"svrbusyerrrate\":0,\"reqretrycount\":\"0\",\"reqretrycountexceeded\":\"0\",\"httpmaxhdrszpkts\":\"0\",\"tcpmaxooopkts\":\"0\",\"totcltttlbtransactions\":\"0\",\"cltttlbtransactionsrate\":0,\"toleratingttlbtransactions\":\"0\",\"toleratingttlbtransactionsrate\":0,\"frustratingttlbtransactions\":\"0\",\"frustratingttlbtransactionsrate\":0}", + "type": [ + "info" + ] + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "server": { + "ip": "0.0.0.0", + "port": 0 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "citrix_adc": { + "lbvserver": { + "client": { + "connections": { + "current": { + "count": 0.0 + }, + "established": { + "count": 0.0 + } + }, + "response_time": { + "application_performance_index": 1 + } + }, + "connections": { + "actual": { + "count": 0.0 + } + }, + "down": { + "backup": { + "hits": 0.0 + } + }, + "health": 67.0, + "hit": { + "count": 0.0, + "rate": 0 + }, + "name": "cpx_default_dns_tcp_vserver", + "packets": { + "received": { + "count": 0.0 + }, + "sent": { + "count": 0.0, + "rate": 0 + } + }, + "protocol": "DNS_TCP", + "request": { + "deferred": { + "count": 0.0, + "rate": 0 + }, + "received": { + "bytes": { + "rate": 0, + "value": 0.0 + }, + "count": 0.0, + "rate": 0 + }, + "surge_queue": { + "count": 0.0 + }, + "waiting": { + "count": 0.0 + } + }, + "requests_responses": { + "dropped": { + "count": 0.0 + }, + "invalid": { + "count": 0.0 + } + }, + "response": { + "received": { + "bytes": { + "rate": 0, + "value": 0.0 + }, + "count": 0.0, + "rate": 0 + } + }, + "service": { + "active": { + "count": 2.0 + }, + "inactive": { + "count": 1.0 + } + }, + "spillover": { + "count": 0.0 + }, + "state": "UP", + "threshold": { + "spillover": 0.0 + }, + "time_to_last_byte": { + "avg": 0.0 + }, + "transaction": { + "frustrating": { + "count": 0.0 + }, + "tolerable": { + "count": 0.0 + } + } + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "web" + ], + "kind": "event", + "module": "citrix_adc", + "original": "{\"name\":\"cpx_default_dns_tcp_vserver\",\"avgcltttlb\":\"0\",\"cltresponsetimeapdex\":1,\"vsvrsurgecount\":\"0\",\"establishedconn\":\"0\",\"inactsvcs\":\"1\",\"vslbhealth\":\"67\",\"primaryipaddress\":\"0.0.0.0\",\"primaryport\":0,\"type\":\"DNS_TCP\",\"state\":\"UP\",\"actsvcs\":\"2\",\"cpuusagepm\":\"0\",\"tothits\":\"0\",\"hitsrate\":0,\"totalrequests\":\"0\",\"requestsrate\":0,\"totalresponses\":\"0\",\"responsesrate\":0,\"totalrequestbytes\":\"0\",\"requestbytesrate\":0,\"totalresponsebytes\":\"0\",\"responsebytesrate\":0,\"totalh2requests\":\"0\",\"h2requestsrate\":0,\"totalh2responses\":\"0\",\"h2responsesrate\":0,\"totalpktsrecvd\":\"0\",\"pktsrecvdrate\":0,\"totalpktssent\":\"0\",\"pktssentrate\":0,\"curclntconnections\":\"0\",\"cursrvrconnections\":\"0\",\"curpersistencesessions\":\"0\",\"curbackuppersistencesessions\":\"0\",\"surgecount\":\"0\",\"svcsurgecount\":\"0\",\"sothreshold\":\"0\",\"totspillovers\":\"0\",\"labelledconn\":\"0\",\"pushlabel\":\"0\",\"deferredreq\":\"0\",\"deferredreqrate\":0,\"invalidrequestresponse\":\"0\",\"invalidrequestresponsedropped\":\"0\",\"totvserverdownbackuphits\":\"0\",\"curmptcpsessions\":\"0\",\"cursubflowconn\":\"0\",\"totalconnreassemblyqueue75\":\"0\",\"totalconnreassemblyqueueflush\":\"0\",\"totalsvrbusyerr\":\"0\",\"svrbusyerrrate\":0,\"reqretrycount\":\"0\",\"reqretrycountexceeded\":\"0\",\"httpmaxhdrszpkts\":\"0\",\"tcpmaxooopkts\":\"0\",\"totcltttlbtransactions\":\"0\",\"cltttlbtransactionsrate\":0,\"toleratingttlbtransactions\":\"0\",\"toleratingttlbtransactionsrate\":0,\"frustratingttlbtransactions\":\"0\",\"frustratingttlbtransactionsrate\":0}", "type": [ "info" ] diff --git a/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml index cdf9d348d9a..9f8d7125b6d 100644 --- a/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/lbvserver/elasticsearch/ingest_pipeline/default.yml @@ -108,149 +108,149 @@ processors: if: ctx.server?.ip != null allow_duplicates: false ignore_failure: true - # Renaming and converting fields to float + # Renaming and converting fields to double - convert: field: json.actsvcs target_field: citrix_adc.lbvserver.service.active.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.avgcltttlb target_field: citrix_adc.lbvserver.time_to_last_byte.avg - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.curclntconnections target_field: citrix_adc.lbvserver.client.connections.current.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.cursrvrconnections target_field: citrix_adc.lbvserver.connections.actual.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.deferredreq target_field: citrix_adc.lbvserver.request.deferred.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.establishedconn target_field: citrix_adc.lbvserver.client.connections.established.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.frustratingttlbtransactions target_field: citrix_adc.lbvserver.transaction.frustrating.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.inactsvcs target_field: citrix_adc.lbvserver.service.inactive.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.invalidrequestresponse target_field: citrix_adc.lbvserver.requests_responses.invalid.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.invalidrequestresponsedropped target_field: citrix_adc.lbvserver.requests_responses.dropped.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.sothreshold target_field: citrix_adc.lbvserver.threshold.spillover - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.surgecount target_field: citrix_adc.lbvserver.request.surge_queue.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.toleratingttlbtransactions target_field: citrix_adc.lbvserver.transaction.tolerable.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalpktsrecvd target_field: citrix_adc.lbvserver.packets.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalpktssent target_field: citrix_adc.lbvserver.packets.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalrequestbytes target_field: citrix_adc.lbvserver.request.received.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalrequests target_field: citrix_adc.lbvserver.request.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalresponsebytes target_field: citrix_adc.lbvserver.response.received.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalresponses target_field: citrix_adc.lbvserver.response.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.tothits target_field: citrix_adc.lbvserver.hit.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totspillovers target_field: citrix_adc.lbvserver.spillover.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totvserverdownbackuphits target_field: citrix_adc.lbvserver.down.backup.hits - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vslbhealth target_field: citrix_adc.lbvserver.health - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vsvrsurgecount target_field: citrix_adc.lbvserver.request.waiting.count - type: float + type: double ignore_missing: true ignore_failure: true - script: diff --git a/packages/citrix_adc/data_stream/lbvserver/fields/fields.yml b/packages/citrix_adc/data_stream/lbvserver/fields/fields.yml index a45b413044e..43e7679e0e1 100644 --- a/packages/citrix_adc/data_stream/lbvserver/fields/fields.yml +++ b/packages/citrix_adc/data_stream/lbvserver/fields/fields.yml @@ -11,36 +11,36 @@ type: group fields: - name: current.count - type: float + type: double description: Number of current client connections. metric_type: gauge - name: established.count - type: float + type: double description: Number of client connections in ESTABLISHED state. metric_type: gauge - name: response_time.application_performance_index - type: float + type: double description: Vserver APDEX (Application Performance Index) index based on client response times. - name: connections.actual.count - type: float + type: double description: Number of current connections to the actual servers behind the virtual server. metric_type: gauge - name: down.backup.hits - type: float + type: double description: Number of times traffic was diverted to the backup vserver since the primary vserver was DOWN. metric_type: counter - name: health - type: float + type: double description: Health of the vserver. This gives percentage of UP services bound to the vserver. - name: hit type: group fields: - name: count - type: float + type: double description: Total vserver hits. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for tothits. metric_type: gauge - name: name @@ -50,18 +50,18 @@ type: group fields: - name: received.count - type: float + type: double description: Total number of packets received by the service or virtual server. metric_type: counter - name: sent type: group fields: - name: count - type: float + type: double description: Total number of packets sent. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalpktssent. metric_type: gauge - name: protocol @@ -74,11 +74,11 @@ type: group fields: - name: count - type: float + type: double description: Number of deferred requests on specific vserver. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for deferredreq. metric_type: gauge - name: received @@ -88,39 +88,39 @@ type: group fields: - name: rate - type: float + type: double description: Rate (/s) counter for totalrequestbytes. metric_type: gauge - name: value - type: float + type: double description: Total number of request bytes received on the service or virtual server. metric_type: counter unit: byte - name: count - type: float + type: double description: Total number of requests received on the service or virtual server. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalrequests. metric_type: gauge - name: surge_queue.count - type: float + type: double description: Number of requests in the surge queue. metric_type: gauge - name: waiting.count - type: float + type: double description: Number of requests waiting on specific vserver. metric_type: gauge - name: requests_responses type: group fields: - name: dropped.count - type: float + type: double description: Number invalid requests/responses dropped on the vserver. metric_type: counter - name: invalid.count - type: float + type: double description: Number invalid requests/responses on the vserver. metric_type: counter - name: response @@ -133,56 +133,56 @@ type: group fields: - name: rate - type: float + type: double description: Rate (/s) counter for totalresponsebytes. metric_type: gauge - name: value - type: float + type: double description: Number of response bytes received by the service or virtual server. metric_type: counter unit: byte - name: count - type: float + type: double description: Number of responses received on the service or virtual server. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalresponses. metric_type: gauge - name: service type: group fields: - name: active.count - type: float + type: double description: Number of ACTIVE services bound to a vserver. metric_type: gauge - name: inactive.count - type: float + type: double description: Number of INACTIVE services bound to a vserver. metric_type: gauge - name: spillover.count - type: float + type: double description: Number of times vserver experienced spill over. metric_type: counter - name: state type: keyword description: Current state of the server. - name: threshold.spillover - type: float + type: double description: Spill Over Threshold set on the vserver. metric_type: gauge - name: time_to_last_byte.avg - type: float + type: double description: Average TTLB (Time To Last Byte) between the client and the server. metric_type: gauge - name: transaction type: group fields: - name: frustrating.count - type: float + type: double description: Frustrating transactions based on APDEX (Application Performance Index) threshold. metric_type: gauge - name: tolerable.count - type: float + type: double description: Tolerable transactions based on APDEX (Application Performance Index) threshold. metric_type: gauge diff --git a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json index 9fed4ef8ea9..046bfd4f540 100644 --- a/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/service/_dev/test/pipeline/test-service-metrics.log-expected.json @@ -21,7 +21,7 @@ "response": { "bytes": { "rate": 151, - "value": 2.368862E7 + "value": 2.3688619E7 }, "count": 12578.0, "rate": 0 diff --git a/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml index f3a754ceb75..5ca194957a3 100644 --- a/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/service/elasticsearch/ingest_pipeline/default.yml @@ -85,95 +85,95 @@ processors: if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) ignore_missing: true ignore_failure: true - # Renaming and converting fields to float + # Renaming and converting fields to double - convert: field: json.curclntconnections target_field: citrix_adc.service.client_connection.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalrequestbytes target_field: citrix_adc.service.request.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalrequests target_field: citrix_adc.service.request.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalresponsebytes target_field: citrix_adc.service.response.bytes.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totalresponses target_field: citrix_adc.service.response.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.curreusepool target_field: citrix_adc.service.reuse_pool - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.cursrvrconnections target_field: citrix_adc.service.server.connection.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.svrestablishedconn target_field: citrix_adc.service.server.connection.established.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.avgsvrttfb target_field: citrix_adc.service.server.time_to_first_byte.avg - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.surgecount target_field: citrix_adc.service.surge_queue.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.throughput target_field: citrix_adc.service.throughput.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.activetransactions target_field: citrix_adc.service.transaction.active.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.frustratingttlbtransactions target_field: citrix_adc.service.transaction.frustrating.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.totsvrttlbtransactions target_field: citrix_adc.service.transaction.time_to_last_byte.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.toleratingttlbtransactions target_field: citrix_adc.service.transaction.tolerable.count - type: float + type: double ignore_missing: true ignore_failure: true # Renaming and converting field to ip diff --git a/packages/citrix_adc/data_stream/service/fields/fields.yml b/packages/citrix_adc/data_stream/service/fields/fields.yml index 8908125926b..3903dd9c1fc 100644 --- a/packages/citrix_adc/data_stream/service/fields/fields.yml +++ b/packages/citrix_adc/data_stream/service/fields/fields.yml @@ -5,7 +5,7 @@ type: group fields: - name: client_connection.count - type: float + type: double description: Number of current client connections. metric_type: counter - name: primary @@ -21,44 +21,44 @@ type: group fields: - name: bytes.rate - type: float + type: double description: Rate (/s) counter for totalrequestbytes. metric_type: gauge - name: bytes.value - type: float + type: double description: Total number of request bytes received on specific service or virtual server. metric_type: counter unit: byte - name: count - type: float + type: double description: Total number of requests received on specific service or virtual server. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalrequests. metric_type: gauge - name: response type: group fields: - name: bytes.rate - type: float + type: double description: Rate (/s) counter for totalresponsebytes. metric_type: gauge - name: bytes.value - type: float + type: double description: Number of response bytes received by specific service or virtual server. metric_type: counter unit: byte - name: count - type: float + type: double description: Number of responses received on specific service or virtual server. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalresponses. metric_type: gauge - name: reuse_pool - type: float + type: double description: Number of requests in the idle queue/reuse pool. - name: server type: group @@ -67,48 +67,48 @@ type: group fields: - name: count - type: float + type: double description: Number of current connections to the actual servers behind the virtual server. metric_type: counter - name: established.count - type: float + type: double description: Number of server connections in ESTABLISHED state. metric_type: counter - name: time_to_first_byte.avg - type: float + type: double description: Average TTFB (Time To First Byte) between the NetScaler appliance and the server. metric_type: gauge - name: surge_queue.count - type: float + type: double description: Number of requests in the surge queue. metric_type: counter - name: throughput type: group fields: - name: rate - type: float + type: double description: Rate (/s) counter for throughput. metric_type: gauge - name: value - type: float + type: double description: Number of bytes received or sent by specific service (Mbps). metric_type: counter - name: transaction type: group fields: - name: active.count - type: float + type: double description: Number of active transactions handled by specific service. metric_type: counter - name: frustrating.count - type: float + type: double description: Frustrating transactions based on APDEX (Application Performance Index) threshold (>4T). metric_type: gauge - name: time_to_last_byte.count - type: float + type: double description: Total transactions where server TTLB (Time To Last Byte) is calculated. metric_type: counter - name: tolerable.count - type: float + type: double description: Tolerable transactions based on APDEX (Application Performance Index) threshold (>T ;; <4T). metric_type: counter diff --git a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json index 98e805c1358..4f776591828 100644 --- a/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json +++ b/packages/citrix_adc/data_stream/system/_dev/test/pipeline/test-system-metrics.log-expected.json @@ -10,20 +10,20 @@ "pct": 0.0 }, "avg": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 }, "management": { "pct": 0.9 }, "master": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 }, "packets": { "pct": 0.9 }, "pct": 0.9, "slave": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 } } }, @@ -81,20 +81,20 @@ "pct": 0 }, "avg": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 }, "management": { "pct": 0 }, "master": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 }, "packets": { "pct": 0.6 }, "pct": 0.6, "slave": { - "pct": 4.2949673E9 + "pct": 4.294967295E9 } } }, diff --git a/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 109c908f323..e5188e0bb79 100644 --- a/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -70,41 +70,41 @@ processors: target_field: citrix_adc.system.memory.utilization.pct ignore_missing: true ignore_failure: true - # Renaming and converting fields to float + # Renaming and converting fields to double - convert: field: json.system.numcpus target_field: citrix_adc.system.cpu.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.system.rescpuusage target_field: citrix_adc.system.cpu.utilization.avg.pct - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.system.mastercpuusage target_field: citrix_adc.system.cpu.utilization.master.pct - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.system.slavecpuusage target_field: citrix_adc.system.cpu.utilization.slave.pct - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.system.memsizemb target_field: citrix_adc.system.memory.size.value - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.system.memuseinmb target_field: citrix_adc.system.memory.usage.value - type: float + type: double ignore_missing: true ignore_failure: true - date: diff --git a/packages/citrix_adc/data_stream/system/fields/fields.yml b/packages/citrix_adc/data_stream/system/fields/fields.yml index 30dc5f11068..76cc8b7b31c 100644 --- a/packages/citrix_adc/data_stream/system/fields/fields.yml +++ b/packages/citrix_adc/data_stream/system/fields/fields.yml @@ -8,44 +8,44 @@ type: group fields: - name: count - type: float + type: double description: The number of CPUs on the NetScaler appliance. metric_type: gauge - name: utilization type: group fields: - name: additional_management.pct - type: float + type: double description: Additional Management CPU utilization percentage. metric_type: gauge unit: percent - name: avg.pct - type: float + type: double description: Shows average CPU utilization percentage if more than 1 CPU is present. metric_type: gauge unit: percent - name: management.pct - type: float + type: double description: Average Management CPU utilization percentage. metric_type: gauge unit: percent - name: master.pct - type: float + type: double description: CPU 0 (currently the master CPU) utilization, as percentage of capacity. metric_type: gauge unit: percent - name: packets.pct - type: float + type: double description: Average CPU utilization percentage for all packet engines excluding management PE. metric_type: gauge unit: percent - name: pct - type: float + type: double description: CPU utilization percentage. metric_type: gauge unit: percent - name: slave.pct - type: float + type: double description: CPU 1 (currently the slave CPU) utilization, as percentage of capacity. metric_type: gauge unit: percent @@ -53,12 +53,12 @@ type: group fields: - name: flash_partition.pct - type: float + type: double description: Used space in /flash partition of the disk, as a percentage. metric_type: gauge unit: percent - name: var_partition.pct - type: float + type: double description: Used space in /var partition of the disk, as a percentage. metric_type: gauge unit: percent @@ -66,17 +66,17 @@ type: group fields: - name: size.value - type: float + type: double description: Total amount of system memory, in bytes. metric_type: gauge unit: byte - name: usage.value - type: float + type: double description: Main memory currently in use, in bytes. metric_type: gauge unit: byte - name: utilization.pct - type: float + type: double description: Percentage of memory utilization on NetScaler. metric_type: gauge unit: percent diff --git a/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml b/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml index 9a27e10cd46..ca0d6fd4b0d 100644 --- a/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml +++ b/packages/citrix_adc/data_stream/vpn/elasticsearch/ingest_pipeline/default.yml @@ -135,137 +135,137 @@ processors: target_field: citrix_adc.vpn.sta.response.received.rate ignore_missing: true ignore_failure: true - # Renaming and converting fields to float + # Renaming and converting fields to double - convert: field: json.vpn.cfghtmlserved target_field: citrix_adc.vpn.configuration_request_served.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.cpsconnfailure target_field: citrix_adc.vpn.cps.failure.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.cpsconnsuccess target_field: citrix_adc.vpn.cps.success.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.csrequesthit target_field: citrix_adc.vpn.client_server.request.hit.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.totalfsrequest target_field: citrix_adc.vpn.file_system.request.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.icalicensefailure target_field: citrix_adc.vpn.ica.license_failure.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.indexhtmlhit target_field: citrix_adc.vpn.login_page.hits - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.vpnlicensefail target_field: citrix_adc.vpn.login_failed.license_unavailable.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksclienterror target_field: citrix_adc.vpn.socks.client_error.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksconnreqrcvd target_field: citrix_adc.vpn.socks.connection.request.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksconnreqsent target_field: citrix_adc.vpn.socks.connection.request.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksconnresprcvd target_field: citrix_adc.vpn.socks.connection.response.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksconnrespsent target_field: citrix_adc.vpn.socks.connection.response.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksmethreqrcvd target_field: citrix_adc.vpn.socks.method.request.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksmethreqsent target_field: citrix_adc.vpn.socks.method.request.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksmethresprcvd target_field: citrix_adc.vpn.socks.method.response.received.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksmethrespsent target_field: citrix_adc.vpn.socks.method.response.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.socksservererror target_field: citrix_adc.vpn.socks.server_error.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.staconnfailure target_field: citrix_adc.vpn.sta.connection.failure.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.staconnsuccess target_field: citrix_adc.vpn.sta.connection.success.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.starequestsent target_field: citrix_adc.vpn.sta.request.sent.count - type: float + type: double ignore_missing: true ignore_failure: true - convert: field: json.vpn.staresponserecvd target_field: citrix_adc.vpn.sta.response.received.count - type: float + type: double ignore_missing: true ignore_failure: true - script: diff --git a/packages/citrix_adc/data_stream/vpn/fields/fields.yml b/packages/citrix_adc/data_stream/vpn/fields/fields.yml index b4fd013e27f..bf93636f730 100644 --- a/packages/citrix_adc/data_stream/vpn/fields/fields.yml +++ b/packages/citrix_adc/data_stream/vpn/fields/fields.yml @@ -14,22 +14,22 @@ type: group fields: - name: count - type: float + type: double description: Number of SSL VPN tunnels formed between VPN server and client. metric_type: gauge - name: rate - type: float + type: double description: Rate (/s) counter for cpsconnsuccess. metric_type: gauge - name: configuration_request_served type: group fields: - name: count - type: float + type: double description: Number of client configuration requests received by VPN server. metric_type: gauge - name: rate - type: float + type: double description: Rate (/s) counter for cfghtmlserved. metric_type: gauge - name: cps @@ -39,22 +39,22 @@ type: group fields: - name: count - type: float + type: double description: Number of CPS connection failures. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for cpsconnfailure. metric_type: gauge - name: success type: group fields: - name: count - type: float + type: double description: Number of CPS connection success. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for cpsconnsuccess. metric_type: gauge - name: file_system @@ -67,11 +67,11 @@ type: group fields: - name: count - type: float + type: double description: Number of file system requests received by VPN server. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for totalfsrequest. metric_type: gauge - name: ica @@ -81,19 +81,19 @@ type: group fields: - name: count - type: float + type: double description: Number of ICA (Independent Computing Architecture) license failures. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for icalicensefailure. metric_type: gauge - name: login_failed.license_unavailable.count - type: float + type: double description: Number of users not able to login because of license unavailability. metric_type: counter - name: login_page.hits - type: float + type: double description: Number of requests for VPN login page. metric_type: counter - name: socks @@ -103,11 +103,11 @@ type: group fields: - name: count - type: float + type: double description: Number of SOCKS client errors. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksclienterror. metric_type: gauge - name: connection @@ -120,22 +120,22 @@ type: group fields: - name: count - type: float + type: double description: Number of received SOCKS connect requests. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksconnreqrcvd. metric_type: gauge - name: sent type: group fields: - name: count - type: float + type: double description: Number of sent SOCKS connect requests. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksconnreqsent. metric_type: gauge - name: response @@ -145,22 +145,22 @@ type: group fields: - name: count - type: float + type: double description: Number of received SOCKS connect responses. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksconnresprcvd. metric_type: gauge - name: sent type: group fields: - name: count - type: float + type: double description: Number of sent SOCKS connect responses. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksconnrespsent. metric_type: gauge - name: method @@ -173,22 +173,22 @@ type: group fields: - name: count - type: float + type: double description: Number of received SOCKS method requests. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksmethreqrcvd. metric_type: gauge - name: sent type: group fields: - name: count - type: float + type: double description: Number of sent SOCKS method requests. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksmethreqsent. metric_type: gauge - name: response @@ -198,33 +198,33 @@ type: group fields: - name: count - type: float + type: double description: Number of received SOCKS method responses. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksmethresprcvd. metric_type: gauge - name: sent type: group fields: - name: count - type: float + type: double description: Number of sent SOCKS method responses. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksmethrespsent. metric_type: gauge - name: server_error type: group fields: - name: count - type: float + type: double description: Number of SOCKS server errors. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for socksservererror. metric_type: gauge - name: sta @@ -237,22 +237,22 @@ type: group fields: - name: count - type: float + type: double description: Number of STA (Secure Ticket Authority) connection failures. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for staconnfailure. metric_type: gauge - name: success type: group fields: - name: count - type: float + type: double description: Number of STA (Secure Ticket Authority) connection success. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for staconnsuccess. metric_type: gauge - name: request @@ -262,11 +262,11 @@ type: group fields: - name: count - type: float + type: double description: Number of STA (Secure Ticket Authority) requests sent. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for starequestsent. metric_type: gauge - name: response @@ -276,10 +276,10 @@ type: group fields: - name: count - type: float + type: double description: Number of STA (Secure Ticket Authority) responses received. metric_type: counter - name: rate - type: float + type: double description: Rate (/s) counter for staresponserecvd. metric_type: gauge diff --git a/packages/citrix_adc/docs/README.md b/packages/citrix_adc/docs/README.md index 6e539df5293..c0206fec4af 100644 --- a/packages/citrix_adc/docs/README.md +++ b/packages/citrix_adc/docs/README.md @@ -209,43 +209,43 @@ An example event for `interface` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | -| citrix_adc.interface.disabled.count | Number of times the specified interface is disabled by the NetScaler. | float | | counter | +| citrix_adc.interface.disabled.count | Number of times the specified interface is disabled by the NetScaler. | double | | counter | | citrix_adc.interface.link.down_time | Duration for which the link is DOWN. | keyword | | | | citrix_adc.interface.link.up_time | Duration for which the link is UP. | keyword | | | -| citrix_adc.interface.mac.moved.count | Number of MAC moves between ports. | float | | counter | -| citrix_adc.interface.mac.moved.rate | Rate (/s) counter for totmacmoved. | float | | gauge | -| citrix_adc.interface.packets.inbound.dropped.count | Number of inbound packets dropped by the specified interface. | float | | counter | -| citrix_adc.interface.packets.inbound.dropped.rate | Rate (/s) counter for errdroppedrxpkts. | float | | gauge | -| citrix_adc.interface.packets.inbound.dropped_by_hardware.count | Number of inbound packets dropped by the hardware on a specified interface once the NetScaler appliance starts or the interface statistics are cleared. | float | | counter | -| citrix_adc.interface.packets.inbound.dropped_by_hardware.rate | Rate (/s) counter for errpktrx. | float | | gauge | -| citrix_adc.interface.packets.inbound.error_free.discarded.count | Number of error-free inbound packets discarded by the specified interface due to a lack of resources. | float | | counter | -| citrix_adc.interface.packets.inbound.error_free.discarded.rate | Rate (/s) counter for errifindiscards. | float | | gauge | -| citrix_adc.interface.packets.outbound.dropped_by_hardware.count | Number of outbound packets dropped by the hardware on a specified interface since the NetScaler appliance was started or the interface statistics were cleared. | float | | counter | -| citrix_adc.interface.packets.outbound.dropped_by_hardware.rate | Rate (/s) counter for errpkttx. | float | | gauge | -| citrix_adc.interface.packets.outbound.error_free.discarded.count | Number of error-free outbound packets discarded by the specified interface due to a lack of resources. | float | | counter | -| citrix_adc.interface.packets.outbound.error_free.discarded.rate | Rate (/s) counter for nicerrifoutdiscards. | float | | gauge | -| citrix_adc.interface.packets.received.count | Number of packets received by an interface since the NetScaler appliance was started or the interface statistics were cleared. | float | | counter | -| citrix_adc.interface.packets.received.jumbo.count | Number of Jumbo Packets received on specified interface. | float | | counter | -| citrix_adc.interface.packets.received.jumbo.rate | Rate (/s) counter for jumbopktsreceived. | float | | gauge | -| citrix_adc.interface.packets.received.multicast.count | Number of multicast packets received by the specified interface since the NetScaler appliance was started or the interface statistics were cleared. | float | | counter | -| citrix_adc.interface.packets.received.multicast.rate | Rate (/s) counter for nictotmulticastpkts. | float | | gauge | -| citrix_adc.interface.packets.received.rate | Rate (/s) counter for totrxpkts. | float | | gauge | -| citrix_adc.interface.packets.received.tagged.count | Number of Tagged Packets received on specified Trunk interface through Allowed VLan List. | float | | counter | -| citrix_adc.interface.packets.received.tagged.rate | Rate (/s) counter for trunkpktsreceived. | float | | gauge | -| citrix_adc.interface.packets.transmission.dropped.count | Number of packets dropped in transmission by the specified interface due to one of the following reasons. (1) VLAN mismatch. (2) Oversized packets. (3) Interface congestion. (4) Loopback packets sent on non loopback interface. | float | | | -| citrix_adc.interface.packets.transmission.dropped.rate | Rate (/s) counter for errdroppedtxpkts. | float | | | -| citrix_adc.interface.packets.transmitted.count | Number of packets transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. | float | | counter | -| citrix_adc.interface.packets.transmitted.jumbo.count | Number of Jumbo packets transmitted on specified interface by upper layer, with TSO enabled actual trasmission size could be non Jumbo. | float | | counter | -| citrix_adc.interface.packets.transmitted.jumbo.rate | Rate (/s) counter for jumbopktstransmitted. | float | | gauge | -| citrix_adc.interface.packets.transmitted.rate | Rate (/s) counter for tottxpkts. | float | | gauge | -| citrix_adc.interface.packets.transmitted.tagged.count | Number of Tagged Packets transmitted on specified Trunk interface through Allowed VLan List. | float | | counter | -| citrix_adc.interface.packets.transmitted.tagged.rate | Rate (/s) counter for trunkpktstransmitted. | float | | gauge | -| citrix_adc.interface.received.bytes.rate | Rate (/s) counter for totrxbytes. | float | | gauge | -| citrix_adc.interface.received.bytes.value | Number of bytes received by an interface since the NetScaler appliance was started or the interface statistics were cleared. | float | byte | counter | -| citrix_adc.interface.stalled.count | Number of times the interface stalled, when receiving packets, since the NetScaler appliance was started or the interface statistics were cleared. | float | | counter | +| citrix_adc.interface.mac.moved.count | Number of MAC moves between ports. | double | | counter | +| citrix_adc.interface.mac.moved.rate | Rate (/s) counter for totmacmoved. | double | | gauge | +| citrix_adc.interface.packets.inbound.dropped.count | Number of inbound packets dropped by the specified interface. | double | | counter | +| citrix_adc.interface.packets.inbound.dropped.rate | Rate (/s) counter for errdroppedrxpkts. | double | | gauge | +| citrix_adc.interface.packets.inbound.dropped_by_hardware.count | Number of inbound packets dropped by the hardware on a specified interface once the NetScaler appliance starts or the interface statistics are cleared. | double | | counter | +| citrix_adc.interface.packets.inbound.dropped_by_hardware.rate | Rate (/s) counter for errpktrx. | double | | gauge | +| citrix_adc.interface.packets.inbound.error_free.discarded.count | Number of error-free inbound packets discarded by the specified interface due to a lack of resources. | double | | counter | +| citrix_adc.interface.packets.inbound.error_free.discarded.rate | Rate (/s) counter for errifindiscards. | double | | gauge | +| citrix_adc.interface.packets.outbound.dropped_by_hardware.count | Number of outbound packets dropped by the hardware on a specified interface since the NetScaler appliance was started or the interface statistics were cleared. | double | | counter | +| citrix_adc.interface.packets.outbound.dropped_by_hardware.rate | Rate (/s) counter for errpkttx. | double | | gauge | +| citrix_adc.interface.packets.outbound.error_free.discarded.count | Number of error-free outbound packets discarded by the specified interface due to a lack of resources. | double | | counter | +| citrix_adc.interface.packets.outbound.error_free.discarded.rate | Rate (/s) counter for nicerrifoutdiscards. | double | | gauge | +| citrix_adc.interface.packets.received.count | Number of packets received by an interface since the NetScaler appliance was started or the interface statistics were cleared. | double | | counter | +| citrix_adc.interface.packets.received.jumbo.count | Number of Jumbo Packets received on specified interface. | double | | counter | +| citrix_adc.interface.packets.received.jumbo.rate | Rate (/s) counter for jumbopktsreceived. | double | | gauge | +| citrix_adc.interface.packets.received.multicast.count | Number of multicast packets received by the specified interface since the NetScaler appliance was started or the interface statistics were cleared. | double | | counter | +| citrix_adc.interface.packets.received.multicast.rate | Rate (/s) counter for nictotmulticastpkts. | double | | gauge | +| citrix_adc.interface.packets.received.rate | Rate (/s) counter for totrxpkts. | double | | gauge | +| citrix_adc.interface.packets.received.tagged.count | Number of Tagged Packets received on specified Trunk interface through Allowed VLan List. | double | | counter | +| citrix_adc.interface.packets.received.tagged.rate | Rate (/s) counter for trunkpktsreceived. | double | | gauge | +| citrix_adc.interface.packets.transmission.dropped.count | Number of packets dropped in transmission by the specified interface due to one of the following reasons. (1) VLAN mismatch. (2) Oversized packets. (3) Interface congestion. (4) Loopback packets sent on non loopback interface. | double | | | +| citrix_adc.interface.packets.transmission.dropped.rate | Rate (/s) counter for errdroppedtxpkts. | double | | | +| citrix_adc.interface.packets.transmitted.count | Number of packets transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. | double | | counter | +| citrix_adc.interface.packets.transmitted.jumbo.count | Number of Jumbo packets transmitted on specified interface by upper layer, with TSO enabled actual trasmission size could be non Jumbo. | double | | counter | +| citrix_adc.interface.packets.transmitted.jumbo.rate | Rate (/s) counter for jumbopktstransmitted. | double | | gauge | +| citrix_adc.interface.packets.transmitted.rate | Rate (/s) counter for tottxpkts. | double | | gauge | +| citrix_adc.interface.packets.transmitted.tagged.count | Number of Tagged Packets transmitted on specified Trunk interface through Allowed VLan List. | double | | counter | +| citrix_adc.interface.packets.transmitted.tagged.rate | Rate (/s) counter for trunkpktstransmitted. | double | | gauge | +| citrix_adc.interface.received.bytes.rate | Rate (/s) counter for totrxbytes. | double | | gauge | +| citrix_adc.interface.received.bytes.value | Number of bytes received by an interface since the NetScaler appliance was started or the interface statistics were cleared. | double | byte | counter | +| citrix_adc.interface.stalled.count | Number of times the interface stalled, when receiving packets, since the NetScaler appliance was started or the interface statistics were cleared. | double | | counter | | citrix_adc.interface.state | Current state of the specified interface. | keyword | | | -| citrix_adc.interface.transmitted.bytes.rate | Rate (/s) counter for tottxbytes. | float | | gauge | -| citrix_adc.interface.transmitted.bytes.value | Number of bytes transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. | float | byte | counter | +| citrix_adc.interface.transmitted.bytes.rate | Rate (/s) counter for tottxbytes. | double | | gauge | +| citrix_adc.interface.transmitted.bytes.value | Number of bytes transmitted by an interface since the NetScaler appliance was started or the interface statistics were cleared. | double | byte | counter | | data_stream.dataset | Data stream dataset. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | @@ -438,41 +438,41 @@ An example event for `lbvserver` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | -| citrix_adc.lbvserver.client.connections.current.count | Number of current client connections. | float | | gauge | -| citrix_adc.lbvserver.client.connections.established.count | Number of client connections in ESTABLISHED state. | float | | gauge | -| citrix_adc.lbvserver.client.response_time.application_performance_index | Vserver APDEX (Application Performance Index) index based on client response times. | float | | | -| citrix_adc.lbvserver.connections.actual.count | Number of current connections to the actual servers behind the virtual server. | float | | gauge | -| citrix_adc.lbvserver.down.backup.hits | Number of times traffic was diverted to the backup vserver since the primary vserver was DOWN. | float | | counter | -| citrix_adc.lbvserver.health | Health of the vserver. This gives percentage of UP services bound to the vserver. | float | | | -| citrix_adc.lbvserver.hit.count | Total vserver hits. | float | | counter | -| citrix_adc.lbvserver.hit.rate | Rate (/s) counter for tothits. | float | | gauge | +| citrix_adc.lbvserver.client.connections.current.count | Number of current client connections. | double | | gauge | +| citrix_adc.lbvserver.client.connections.established.count | Number of client connections in ESTABLISHED state. | double | | gauge | +| citrix_adc.lbvserver.client.response_time.application_performance_index | Vserver APDEX (Application Performance Index) index based on client response times. | double | | | +| citrix_adc.lbvserver.connections.actual.count | Number of current connections to the actual servers behind the virtual server. | double | | gauge | +| citrix_adc.lbvserver.down.backup.hits | Number of times traffic was diverted to the backup vserver since the primary vserver was DOWN. | double | | counter | +| citrix_adc.lbvserver.health | Health of the vserver. This gives percentage of UP services bound to the vserver. | double | | | +| citrix_adc.lbvserver.hit.count | Total vserver hits. | double | | counter | +| citrix_adc.lbvserver.hit.rate | Rate (/s) counter for tothits. | double | | gauge | | citrix_adc.lbvserver.name | Name of the virtual server. | keyword | | | -| citrix_adc.lbvserver.packets.received.count | Total number of packets received by the service or virtual server. | float | | counter | -| citrix_adc.lbvserver.packets.sent.count | Total number of packets sent. | float | | counter | -| citrix_adc.lbvserver.packets.sent.rate | Rate (/s) counter for totalpktssent. | float | | gauge | +| citrix_adc.lbvserver.packets.received.count | Total number of packets received by the service or virtual server. | double | | counter | +| citrix_adc.lbvserver.packets.sent.count | Total number of packets sent. | double | | counter | +| citrix_adc.lbvserver.packets.sent.rate | Rate (/s) counter for totalpktssent. | double | | gauge | | citrix_adc.lbvserver.protocol | Protocol associated with the vserver. | keyword | | | -| citrix_adc.lbvserver.request.deferred.count | Number of deferred requests on specific vserver. | float | | counter | -| citrix_adc.lbvserver.request.deferred.rate | Rate (/s) counter for deferredreq. | float | | gauge | -| citrix_adc.lbvserver.request.received.bytes.rate | Rate (/s) counter for totalrequestbytes. | float | | gauge | -| citrix_adc.lbvserver.request.received.bytes.value | Total number of request bytes received on the service or virtual server. | float | byte | counter | -| citrix_adc.lbvserver.request.received.count | Total number of requests received on the service or virtual server. | float | | counter | -| citrix_adc.lbvserver.request.received.rate | Rate (/s) counter for totalrequests. | float | | gauge | -| citrix_adc.lbvserver.request.surge_queue.count | Number of requests in the surge queue. | float | | gauge | -| citrix_adc.lbvserver.request.waiting.count | Number of requests waiting on specific vserver. | float | | gauge | -| citrix_adc.lbvserver.requests_responses.dropped.count | Number invalid requests/responses dropped on the vserver. | float | | counter | -| citrix_adc.lbvserver.requests_responses.invalid.count | Number invalid requests/responses on the vserver. | float | | counter | -| citrix_adc.lbvserver.response.received.bytes.rate | Rate (/s) counter for totalresponsebytes. | float | | gauge | -| citrix_adc.lbvserver.response.received.bytes.value | Number of response bytes received by the service or virtual server. | float | byte | counter | -| citrix_adc.lbvserver.response.received.count | Number of responses received on the service or virtual server. | float | | counter | -| citrix_adc.lbvserver.response.received.rate | Rate (/s) counter for totalresponses. | float | | gauge | -| citrix_adc.lbvserver.service.active.count | Number of ACTIVE services bound to a vserver. | float | | gauge | -| citrix_adc.lbvserver.service.inactive.count | Number of INACTIVE services bound to a vserver. | float | | gauge | -| citrix_adc.lbvserver.spillover.count | Number of times vserver experienced spill over. | float | | counter | +| citrix_adc.lbvserver.request.deferred.count | Number of deferred requests on specific vserver. | double | | counter | +| citrix_adc.lbvserver.request.deferred.rate | Rate (/s) counter for deferredreq. | double | | gauge | +| citrix_adc.lbvserver.request.received.bytes.rate | Rate (/s) counter for totalrequestbytes. | double | | gauge | +| citrix_adc.lbvserver.request.received.bytes.value | Total number of request bytes received on the service or virtual server. | double | byte | counter | +| citrix_adc.lbvserver.request.received.count | Total number of requests received on the service or virtual server. | double | | counter | +| citrix_adc.lbvserver.request.received.rate | Rate (/s) counter for totalrequests. | double | | gauge | +| citrix_adc.lbvserver.request.surge_queue.count | Number of requests in the surge queue. | double | | gauge | +| citrix_adc.lbvserver.request.waiting.count | Number of requests waiting on specific vserver. | double | | gauge | +| citrix_adc.lbvserver.requests_responses.dropped.count | Number invalid requests/responses dropped on the vserver. | double | | counter | +| citrix_adc.lbvserver.requests_responses.invalid.count | Number invalid requests/responses on the vserver. | double | | counter | +| citrix_adc.lbvserver.response.received.bytes.rate | Rate (/s) counter for totalresponsebytes. | double | | gauge | +| citrix_adc.lbvserver.response.received.bytes.value | Number of response bytes received by the service or virtual server. | double | byte | counter | +| citrix_adc.lbvserver.response.received.count | Number of responses received on the service or virtual server. | double | | counter | +| citrix_adc.lbvserver.response.received.rate | Rate (/s) counter for totalresponses. | double | | gauge | +| citrix_adc.lbvserver.service.active.count | Number of ACTIVE services bound to a vserver. | double | | gauge | +| citrix_adc.lbvserver.service.inactive.count | Number of INACTIVE services bound to a vserver. | double | | gauge | +| citrix_adc.lbvserver.spillover.count | Number of times vserver experienced spill over. | double | | counter | | citrix_adc.lbvserver.state | Current state of the server. | keyword | | | -| citrix_adc.lbvserver.threshold.spillover | Spill Over Threshold set on the vserver. | float | | gauge | -| citrix_adc.lbvserver.time_to_last_byte.avg | Average TTLB (Time To Last Byte) between the client and the server. | float | | gauge | -| citrix_adc.lbvserver.transaction.frustrating.count | Frustrating transactions based on APDEX (Application Performance Index) threshold. | float | | gauge | -| citrix_adc.lbvserver.transaction.tolerable.count | Tolerable transactions based on APDEX (Application Performance Index) threshold. | float | | gauge | +| citrix_adc.lbvserver.threshold.spillover | Spill Over Threshold set on the vserver. | double | | gauge | +| citrix_adc.lbvserver.time_to_last_byte.avg | Average TTLB (Time To Last Byte) between the client and the server. | double | | gauge | +| citrix_adc.lbvserver.transaction.frustrating.count | Frustrating transactions based on APDEX (Application Performance Index) threshold. | double | | gauge | +| citrix_adc.lbvserver.transaction.tolerable.count | Tolerable transactions based on APDEX (Application Performance Index) threshold. | double | | gauge | | data_stream.dataset | Data stream dataset. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | @@ -621,28 +621,28 @@ An example event for `service` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | -| citrix_adc.service.client_connection.count | Number of current client connections. | float | | counter | +| citrix_adc.service.client_connection.count | Number of current client connections. | double | | counter | | citrix_adc.service.primary.ip_address | The IP address on which specific service is running. | ip | | | | citrix_adc.service.primary.port | The port on which the service is running. | long | | | -| citrix_adc.service.request.bytes.rate | Rate (/s) counter for totalrequestbytes. | float | | gauge | -| citrix_adc.service.request.bytes.value | Total number of request bytes received on specific service or virtual server. | float | byte | counter | -| citrix_adc.service.request.count | Total number of requests received on specific service or virtual server. | float | | counter | -| citrix_adc.service.request.rate | Rate (/s) counter for totalrequests. | float | | gauge | -| citrix_adc.service.response.bytes.rate | Rate (/s) counter for totalresponsebytes. | float | | gauge | -| citrix_adc.service.response.bytes.value | Number of response bytes received by specific service or virtual server. | float | byte | counter | -| citrix_adc.service.response.count | Number of responses received on specific service or virtual server. | float | | counter | -| citrix_adc.service.response.rate | Rate (/s) counter for totalresponses. | float | | gauge | -| citrix_adc.service.reuse_pool | Number of requests in the idle queue/reuse pool. | float | | | -| citrix_adc.service.server.connection.count | Number of current connections to the actual servers behind the virtual server. | float | | counter | -| citrix_adc.service.server.connection.established.count | Number of server connections in ESTABLISHED state. | float | | counter | -| citrix_adc.service.server.time_to_first_byte.avg | Average TTFB (Time To First Byte) between the NetScaler appliance and the server. | float | | gauge | -| citrix_adc.service.surge_queue.count | Number of requests in the surge queue. | float | | counter | -| citrix_adc.service.throughput.rate | Rate (/s) counter for throughput. | float | | gauge | -| citrix_adc.service.throughput.value | Number of bytes received or sent by specific service (Mbps). | float | | counter | -| citrix_adc.service.transaction.active.count | Number of active transactions handled by specific service. | float | | counter | -| citrix_adc.service.transaction.frustrating.count | Frustrating transactions based on APDEX (Application Performance Index) threshold (\>4T). | float | | gauge | -| citrix_adc.service.transaction.time_to_last_byte.count | Total transactions where server TTLB (Time To Last Byte) is calculated. | float | | counter | -| citrix_adc.service.transaction.tolerable.count | Tolerable transactions based on APDEX (Application Performance Index) threshold (\>T ;; \<4T). | float | | counter | +| citrix_adc.service.request.bytes.rate | Rate (/s) counter for totalrequestbytes. | double | | gauge | +| citrix_adc.service.request.bytes.value | Total number of request bytes received on specific service or virtual server. | double | byte | counter | +| citrix_adc.service.request.count | Total number of requests received on specific service or virtual server. | double | | counter | +| citrix_adc.service.request.rate | Rate (/s) counter for totalrequests. | double | | gauge | +| citrix_adc.service.response.bytes.rate | Rate (/s) counter for totalresponsebytes. | double | | gauge | +| citrix_adc.service.response.bytes.value | Number of response bytes received by specific service or virtual server. | double | byte | counter | +| citrix_adc.service.response.count | Number of responses received on specific service or virtual server. | double | | counter | +| citrix_adc.service.response.rate | Rate (/s) counter for totalresponses. | double | | gauge | +| citrix_adc.service.reuse_pool | Number of requests in the idle queue/reuse pool. | double | | | +| citrix_adc.service.server.connection.count | Number of current connections to the actual servers behind the virtual server. | double | | counter | +| citrix_adc.service.server.connection.established.count | Number of server connections in ESTABLISHED state. | double | | counter | +| citrix_adc.service.server.time_to_first_byte.avg | Average TTFB (Time To First Byte) between the NetScaler appliance and the server. | double | | gauge | +| citrix_adc.service.surge_queue.count | Number of requests in the surge queue. | double | | counter | +| citrix_adc.service.throughput.rate | Rate (/s) counter for throughput. | double | | gauge | +| citrix_adc.service.throughput.value | Number of bytes received or sent by specific service (Mbps). | double | | counter | +| citrix_adc.service.transaction.active.count | Number of active transactions handled by specific service. | double | | counter | +| citrix_adc.service.transaction.frustrating.count | Frustrating transactions based on APDEX (Application Performance Index) threshold (\>4T). | double | | gauge | +| citrix_adc.service.transaction.time_to_last_byte.count | Total transactions where server TTLB (Time To Last Byte) is calculated. | double | | counter | +| citrix_adc.service.transaction.tolerable.count | Tolerable transactions based on APDEX (Application Performance Index) threshold (\>T ;; \<4T). | double | | counter | | data_stream.dataset | Data stream dataset. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | | data_stream.type | Data stream type. | constant_keyword | | | @@ -774,19 +774,19 @@ An example event for `system` looks as following: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| | @timestamp | Event timestamp. | date | | | -| citrix_adc.system.cpu.count | The number of CPUs on the NetScaler appliance. | float | | gauge | -| citrix_adc.system.cpu.utilization.additional_management.pct | Additional Management CPU utilization percentage. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.avg.pct | Shows average CPU utilization percentage if more than 1 CPU is present. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.management.pct | Average Management CPU utilization percentage. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.master.pct | CPU 0 (currently the master CPU) utilization, as percentage of capacity. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.packets.pct | Average CPU utilization percentage for all packet engines excluding management PE. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.pct | CPU utilization percentage. | float | percent | gauge | -| citrix_adc.system.cpu.utilization.slave.pct | CPU 1 (currently the slave CPU) utilization, as percentage of capacity. | float | percent | gauge | -| citrix_adc.system.disk.usage.flash_partition.pct | Used space in /flash partition of the disk, as a percentage. | float | percent | gauge | -| citrix_adc.system.disk.usage.var_partition.pct | Used space in /var partition of the disk, as a percentage. | float | percent | gauge | -| citrix_adc.system.memory.size.value | Total amount of system memory, in bytes. | float | byte | gauge | -| citrix_adc.system.memory.usage.value | Main memory currently in use, in bytes. | float | byte | gauge | -| citrix_adc.system.memory.utilization.pct | Percentage of memory utilization on NetScaler. | float | percent | gauge | +| citrix_adc.system.cpu.count | The number of CPUs on the NetScaler appliance. | double | | gauge | +| citrix_adc.system.cpu.utilization.additional_management.pct | Additional Management CPU utilization percentage. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.avg.pct | Shows average CPU utilization percentage if more than 1 CPU is present. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.management.pct | Average Management CPU utilization percentage. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.master.pct | CPU 0 (currently the master CPU) utilization, as percentage of capacity. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.packets.pct | Average CPU utilization percentage for all packet engines excluding management PE. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.pct | CPU utilization percentage. | double | percent | gauge | +| citrix_adc.system.cpu.utilization.slave.pct | CPU 1 (currently the slave CPU) utilization, as percentage of capacity. | double | percent | gauge | +| citrix_adc.system.disk.usage.flash_partition.pct | Used space in /flash partition of the disk, as a percentage. | double | percent | gauge | +| citrix_adc.system.disk.usage.var_partition.pct | Used space in /var partition of the disk, as a percentage. | double | percent | gauge | +| citrix_adc.system.memory.size.value | Total amount of system memory, in bytes. | double | byte | gauge | +| citrix_adc.system.memory.usage.value | Main memory currently in use, in bytes. | double | byte | gauge | +| citrix_adc.system.memory.utilization.pct | Percentage of memory utilization on NetScaler. | double | percent | gauge | | citrix_adc.system.start.time | Time when the NetScaler appliance was last started. | date | | | | data_stream.dataset | Data stream dataset. | constant_keyword | | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | @@ -989,48 +989,48 @@ An example event for `vpn` looks as following: | Field | Description | Type | Metric Type | |---|---|---|---| | @timestamp | Event timestamp. | date | | -| citrix_adc.vpn.client_server.request.hit.count | Number of SSL VPN tunnels formed between VPN server and client. | float | gauge | -| citrix_adc.vpn.client_server.request.hit.rate | Rate (/s) counter for cpsconnsuccess. | float | gauge | -| citrix_adc.vpn.configuration_request_served.count | Number of client configuration requests received by VPN server. | float | gauge | -| citrix_adc.vpn.configuration_request_served.rate | Rate (/s) counter for cfghtmlserved. | float | gauge | -| citrix_adc.vpn.cps.failure.count | Number of CPS connection failures. | float | counter | -| citrix_adc.vpn.cps.failure.rate | Rate (/s) counter for cpsconnfailure. | float | gauge | -| citrix_adc.vpn.cps.success.count | Number of CPS connection success. | float | counter | -| citrix_adc.vpn.cps.success.rate | Rate (/s) counter for cpsconnsuccess. | float | gauge | -| citrix_adc.vpn.file_system.request.received.count | Number of file system requests received by VPN server. | float | counter | -| citrix_adc.vpn.file_system.request.received.rate | Rate (/s) counter for totalfsrequest. | float | gauge | -| citrix_adc.vpn.ica.license_failure.count | Number of ICA (Independent Computing Architecture) license failures. | float | counter | -| citrix_adc.vpn.ica.license_failure.rate | Rate (/s) counter for icalicensefailure. | float | gauge | -| citrix_adc.vpn.login_failed.license_unavailable.count | Number of users not able to login because of license unavailability. | float | counter | -| citrix_adc.vpn.login_page.hits | Number of requests for VPN login page. | float | counter | -| citrix_adc.vpn.socks.client_error.count | Number of SOCKS client errors. | float | counter | -| citrix_adc.vpn.socks.client_error.rate | Rate (/s) counter for socksclienterror. | float | gauge | -| citrix_adc.vpn.socks.connection.request.received.count | Number of received SOCKS connect requests. | float | counter | -| citrix_adc.vpn.socks.connection.request.received.rate | Rate (/s) counter for socksconnreqrcvd. | float | gauge | -| citrix_adc.vpn.socks.connection.request.sent.count | Number of sent SOCKS connect requests. | float | counter | -| citrix_adc.vpn.socks.connection.request.sent.rate | Rate (/s) counter for socksconnreqsent. | float | gauge | -| citrix_adc.vpn.socks.connection.response.received.count | Number of received SOCKS connect responses. | float | counter | -| citrix_adc.vpn.socks.connection.response.received.rate | Rate (/s) counter for socksconnresprcvd. | float | gauge | -| citrix_adc.vpn.socks.connection.response.sent.count | Number of sent SOCKS connect responses. | float | counter | -| citrix_adc.vpn.socks.connection.response.sent.rate | Rate (/s) counter for socksconnrespsent. | float | gauge | -| citrix_adc.vpn.socks.method.request.received.count | Number of received SOCKS method requests. | float | counter | -| citrix_adc.vpn.socks.method.request.received.rate | Rate (/s) counter for socksmethreqrcvd. | float | gauge | -| citrix_adc.vpn.socks.method.request.sent.count | Number of sent SOCKS method requests. | float | counter | -| citrix_adc.vpn.socks.method.request.sent.rate | Rate (/s) counter for socksmethreqsent. | float | gauge | -| citrix_adc.vpn.socks.method.response.received.count | Number of received SOCKS method responses. | float | counter | -| citrix_adc.vpn.socks.method.response.received.rate | Rate (/s) counter for socksmethresprcvd. | float | gauge | -| citrix_adc.vpn.socks.method.response.sent.count | Number of sent SOCKS method responses. | float | counter | -| citrix_adc.vpn.socks.method.response.sent.rate | Rate (/s) counter for socksmethrespsent. | float | gauge | -| citrix_adc.vpn.socks.server_error.count | Number of SOCKS server errors. | float | counter | -| citrix_adc.vpn.socks.server_error.rate | Rate (/s) counter for socksservererror. | float | gauge | -| citrix_adc.vpn.sta.connection.failure.count | Number of STA (Secure Ticket Authority) connection failures. | float | counter | -| citrix_adc.vpn.sta.connection.failure.rate | Rate (/s) counter for staconnfailure. | float | gauge | -| citrix_adc.vpn.sta.connection.success.count | Number of STA (Secure Ticket Authority) connection success. | float | counter | -| citrix_adc.vpn.sta.connection.success.rate | Rate (/s) counter for staconnsuccess. | float | gauge | -| citrix_adc.vpn.sta.request.sent.count | Number of STA (Secure Ticket Authority) requests sent. | float | counter | -| citrix_adc.vpn.sta.request.sent.rate | Rate (/s) counter for starequestsent. | float | gauge | -| citrix_adc.vpn.sta.response.received.count | Number of STA (Secure Ticket Authority) responses received. | float | counter | -| citrix_adc.vpn.sta.response.received.rate | Rate (/s) counter for staresponserecvd. | float | gauge | +| citrix_adc.vpn.client_server.request.hit.count | Number of SSL VPN tunnels formed between VPN server and client. | double | gauge | +| citrix_adc.vpn.client_server.request.hit.rate | Rate (/s) counter for cpsconnsuccess. | double | gauge | +| citrix_adc.vpn.configuration_request_served.count | Number of client configuration requests received by VPN server. | double | gauge | +| citrix_adc.vpn.configuration_request_served.rate | Rate (/s) counter for cfghtmlserved. | double | gauge | +| citrix_adc.vpn.cps.failure.count | Number of CPS connection failures. | double | counter | +| citrix_adc.vpn.cps.failure.rate | Rate (/s) counter for cpsconnfailure. | double | gauge | +| citrix_adc.vpn.cps.success.count | Number of CPS connection success. | double | counter | +| citrix_adc.vpn.cps.success.rate | Rate (/s) counter for cpsconnsuccess. | double | gauge | +| citrix_adc.vpn.file_system.request.received.count | Number of file system requests received by VPN server. | double | counter | +| citrix_adc.vpn.file_system.request.received.rate | Rate (/s) counter for totalfsrequest. | double | gauge | +| citrix_adc.vpn.ica.license_failure.count | Number of ICA (Independent Computing Architecture) license failures. | double | counter | +| citrix_adc.vpn.ica.license_failure.rate | Rate (/s) counter for icalicensefailure. | double | gauge | +| citrix_adc.vpn.login_failed.license_unavailable.count | Number of users not able to login because of license unavailability. | double | counter | +| citrix_adc.vpn.login_page.hits | Number of requests for VPN login page. | double | counter | +| citrix_adc.vpn.socks.client_error.count | Number of SOCKS client errors. | double | counter | +| citrix_adc.vpn.socks.client_error.rate | Rate (/s) counter for socksclienterror. | double | gauge | +| citrix_adc.vpn.socks.connection.request.received.count | Number of received SOCKS connect requests. | double | counter | +| citrix_adc.vpn.socks.connection.request.received.rate | Rate (/s) counter for socksconnreqrcvd. | double | gauge | +| citrix_adc.vpn.socks.connection.request.sent.count | Number of sent SOCKS connect requests. | double | counter | +| citrix_adc.vpn.socks.connection.request.sent.rate | Rate (/s) counter for socksconnreqsent. | double | gauge | +| citrix_adc.vpn.socks.connection.response.received.count | Number of received SOCKS connect responses. | double | counter | +| citrix_adc.vpn.socks.connection.response.received.rate | Rate (/s) counter for socksconnresprcvd. | double | gauge | +| citrix_adc.vpn.socks.connection.response.sent.count | Number of sent SOCKS connect responses. | double | counter | +| citrix_adc.vpn.socks.connection.response.sent.rate | Rate (/s) counter for socksconnrespsent. | double | gauge | +| citrix_adc.vpn.socks.method.request.received.count | Number of received SOCKS method requests. | double | counter | +| citrix_adc.vpn.socks.method.request.received.rate | Rate (/s) counter for socksmethreqrcvd. | double | gauge | +| citrix_adc.vpn.socks.method.request.sent.count | Number of sent SOCKS method requests. | double | counter | +| citrix_adc.vpn.socks.method.request.sent.rate | Rate (/s) counter for socksmethreqsent. | double | gauge | +| citrix_adc.vpn.socks.method.response.received.count | Number of received SOCKS method responses. | double | counter | +| citrix_adc.vpn.socks.method.response.received.rate | Rate (/s) counter for socksmethresprcvd. | double | gauge | +| citrix_adc.vpn.socks.method.response.sent.count | Number of sent SOCKS method responses. | double | counter | +| citrix_adc.vpn.socks.method.response.sent.rate | Rate (/s) counter for socksmethrespsent. | double | gauge | +| citrix_adc.vpn.socks.server_error.count | Number of SOCKS server errors. | double | counter | +| citrix_adc.vpn.socks.server_error.rate | Rate (/s) counter for socksservererror. | double | gauge | +| citrix_adc.vpn.sta.connection.failure.count | Number of STA (Secure Ticket Authority) connection failures. | double | counter | +| citrix_adc.vpn.sta.connection.failure.rate | Rate (/s) counter for staconnfailure. | double | gauge | +| citrix_adc.vpn.sta.connection.success.count | Number of STA (Secure Ticket Authority) connection success. | double | counter | +| citrix_adc.vpn.sta.connection.success.rate | Rate (/s) counter for staconnsuccess. | double | gauge | +| citrix_adc.vpn.sta.request.sent.count | Number of STA (Secure Ticket Authority) requests sent. | double | counter | +| citrix_adc.vpn.sta.request.sent.rate | Rate (/s) counter for starequestsent. | double | gauge | +| citrix_adc.vpn.sta.response.received.count | Number of STA (Secure Ticket Authority) responses received. | double | counter | +| citrix_adc.vpn.sta.response.received.rate | Rate (/s) counter for staresponserecvd. | double | gauge | | data_stream.dataset | Data stream dataset. | constant_keyword | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | data_stream.type | Data stream type. | constant_keyword | | diff --git a/packages/citrix_adc/manifest.yml b/packages/citrix_adc/manifest.yml index 6356a184537..fecbdf01eaf 100644 --- a/packages/citrix_adc/manifest.yml +++ b/packages/citrix_adc/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.0.0 name: citrix_adc title: Citrix ADC -version: 0.5.1 +version: 0.5.2 description: This Elastic integration collects metrics from Citrix ADC product. type: integration categories: diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log index 52e3a5d625e..0f3ae4095cb 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log @@ -1,7 +1,8 @@ {"Act":"Hld","AttCnt":0,"AttNames":null,"AttSize":0,"Content-Disposition":"attachment; filename=\"process_20211018093329655.json\"","Hld":"Spm","MsgId":"\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e","MsgSize":157436,"Sender":"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu","Subject":"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!","aCode":"HhuwRf_AOcuJZINE2ZgcKw","acc":"ABC123","datetime":"2021-10-18T09:02:43+0100"} {"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Inbound","ReceiptAck":null,"MsgId":null,"Subject":null,"Latency":505,"Sender":"<>","datetime":"2021-10-19T07:06:40+0100","Rcpt":"johndoe@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":125,"aCode":"29be076e-44cd-354d-a7c2-083d4a312371","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} {"acc":"ABC123","Sender":"postmaster@twotoeight.com","datetime":"2021-10-19T07:04:55+0100","AttSize":0,"Content-Disposition":"attachment; filename=\"process_20211018093329655.json\"","Act":"Acc","aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","AttCnt":0,"AttNames":null,"MsgSize":49025,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages"} -{"acc":"ABC123","Delivered":true,"IP":"67.43.156.15","AttCnt":0,"Dir":"Internal","ReceiptAck":"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]","MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":null,"Latency":1090,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:55+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"Snt":51666,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"No", "Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""},{"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Internal","ReceiptAck":null,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages","Latency":1534,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:56+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":147,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} +{"acc":"ABC123","Delivered":true,"IP":"67.43.156.15","AttCnt":0,"Dir":"Internal","ReceiptAck":"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]","MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":null,"Latency":1090,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:55+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"Snt":51666,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"No", "Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} +{"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Internal","ReceiptAck":null,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages","Latency":1534,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:56+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":147,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} {"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:09:18+0000","Rcpt":"o365_service_account@example.com","RcptActType":"Jnl","aCode":"CYSuuaBUMjOpk3k1Xhvy_Q","Dir":"Internal","RcptHdrType":"Unknown", "Content-Disposition":"attachment; filename=\"jrnl_20211018093329655.json\""} {"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:10:19+0000","Rcpt":"johndoejr@example.com","Act":"Acc","IP":"67.43.156.15","aCode":"3dbe9918-f91f-3043-b61f-d3164badfe50","Dir":"Internal","Subject":"You have new held messages","MsgId":"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>","headerFrom":"johndoe@example.com", "Content-Disposition":"attachment; filename=\"receipt_20211018093329655.json\""} {"acc":"C46A75","reason":"malicious","subject":"DocuSign- Contract #45576744333","msgid":null,"url":"http:\/\/docusign.swrodgods.x10.mx\/Docun\/Docu\/index2.php","datetime":"2021-11-29T15:13:58+0000","route":"inbound","sourceIp":"67.43.156.15","sender":"docusign-services@zenz.us","recipient":"aorchard@twotoeight.com","action":"Block","urlCategory":"Phishing & Fraud","credentialTheft":null,"senderDomain":"zenz.us", "Content-Disposition":"attachment; filename=\"ttp_url_20211129153015541.json\""} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index b437546f0de..5aa4f8bf15e 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -163,7 +163,7 @@ }, "event": { "created": "2021-10-19T07:04:55+0100", - "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"},{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "success" }, "mimecast": { @@ -197,6 +197,73 @@ "established": false } }, + { + "@timestamp": "2021-10-19T06:04:56.000Z", + "ecs": { + "version": "8.7.0" + }, + "email": { + "attachments": { + "file": { + "size": 0 + } + }, + "direction": "internal", + "from": { + "address": [ + "johndoe@example.com" + ] + }, + "local_id": "61dfe7da-4c6d-34e1-9667-69b04f0d564f", + "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", + "subject": "You have new held messages", + "to": { + "address": "johndoejr@example.com" + } + }, + "error": { + "code": "550", + "type": "Recipient email address is possibly incorrect" + }, + "event": { + "created": "2021-10-19T07:04:56+0100", + "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", + "outcome": "failure", + "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]" + }, + "mimecast": { + "AttCnt": 0, + "Attempt": 1, + "Latency": 1534, + "Route": "Office365", + "Snt": 147, + "acc": "ABC123", + "log_type": "delivery" + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "established": true, + "version": "TLSv1.2" + } + }, { "@timestamp": "2021-11-08T12:09:18.000Z", "ecs": { diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json deleted file mode 100644 index c4803981126..00000000000 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "events": [ - { - "message": "{\"actor\":{\"alternateId\":\"username@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"someusername@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"test@test.com\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"xxxxxx\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Unknown\",\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown\",\"rawUserAgent\":\"blah\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"logOnlySecurityData\":\"{\\\"risk\\\":{\\\"reasons\\\":\\\"Anomalous Location, Anomalous Device\\\",\\\"level\\\":\\\"HIGH\\\"},\\\"behaviors\\\":{\\\"New Geo-Location\\\":\\\"POSITIVE\\\",\\\"New Device\\\":\\\"BAD_REQUEST\\\",\\\"New IP\\\":\\\"POSITIVE\\\",\\\"New State\\\":\\\"POSITIVE\\\",\\\"New Country\\\":\\\"POSITIVE\\\",\\\"Velocity\\\":\\\"NEGATIVE\\\",\\\"New City\\\":\\\"POSITIVE\\\"}}\",\"originalPrincipal\":{\"alternateId\":\"test@test.com\",\"detailEntry\":null,\"displayName\":\"Test\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:25:18.716Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Ashburn\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.1469,\"lon\":-77.5903},\"postalCode\":\"20149\",\"state\":\"Virginia\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":14618,\"asOrg\":\"amazon data services nova\",\"domain\":\"amazonaws.com\",\"isProxy\":false,\"isp\":\"amazon.com inc.\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{\"requestApiTokenId\":\"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo=\"},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"Snipped_User@domain.com\",\"detailEntry\":null,\"displayName\":\"Last_name, First_Name\",\"id\":\"user_id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102qmxOh1EdTHqn1_86CB9fzA\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"unknown\",\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"id\":null,\"ipAddress\":\"81.2.69.144\",\"userAgent\":{\"browser\":\"unknown\",\"os\":\"unknown\",\"rawUserAgent\":\"unknown\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}\",\"dtHash\":\"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa\",\"requestId\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"requestUri\":\"/api/v1/authn\",\"risk\":\"{reasons=Anomalous Device, Anomalous Location, level=HIGH}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-12-12T22:03:08.791Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"City\",\"country\":\"Country\",\"geolocation\":{\"lat\":0.00,\"lon\":0.00},\"postalCode\":\"00000\",\"state\":\"State\"},\"ip\":\"81.2.69.144\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":1828,\"asOrg\":\"org\",\"domain\":\"domain.com\",\"isProxy\":false,\"isp\":\"isp\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"Y5elHFMngoYoVKvakwnp2wAAAKo\",\"type\":\"WEB\"},\"uuid\":\"c32ae8ec-7a68-11ed-b8a7-9134a086ef85\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":\"OKTA_CREDENTIAL_PROVIDER\",\"credentialType\":null,\"externalSessionId\":\"uuid\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"UNKNOWN\",\"os\":\"Unknown mobile\",\"rawUserAgent\":\"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"uuid\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"factor\":\"OKTA_VERIFY_PUSH\",\"requestId\":\"uuid\",\"requestUri\":\"/api/v1/authn/factors/id/transactions/id/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/id/transactions/id/verify?\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:56:36.909Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Lucerne\",\"country\":\"Switzerland\",\"geolocation\":{\"lat\":47.0511,\"lon\":8.3056},\"postalCode\":\"6007\",\"state\":\"Lucerne\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":3303,\"asOrg\":\"bluewin is an lir and isp in switzerland.\",\"domain\":\"swisscom.ch\",\"isProxy\":false,\"isp\":\"swisscom (schweiz) ag\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"user@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"uuid\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}" - }, - { - "message": "{\"actor\":{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":\"FACTOR_PROVIDER\",\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"id\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"id\":null,\"ipAddress\":\"127.0.0.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Linux\",\"rawUserAgent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"id\",\"behaviors\":\"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}\",\"deviceFingerprint\":\"id\",\"dtHash\":\"hash\",\"factor\":\"FIDO_WEBAUTHN\",\"promptingPolicyTypes\":\"[OKTA_SIGN_ON]\",\"requestId\":\"id\",\"requestUri\":\"/api/v1/authn/factors/webauthn/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/webauthn/verify?rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Authentication of user via MFA\",\"eventType\":\"user.authentication.auth_via_mfa\",\"legacyEventType\":\"core.user.factor.attempt_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2023-02-06T08:58:37.110Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Bredstedt\",\"country\":\"Germany\",\"geolocation\":{\"lat\":54.6208,\"lon\":8.9631},\"postalCode\":\"25821\",\"state\":\"Schleswig-Holstein\"},\"ip\":\"127.0.0.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":62336,\"asOrg\":\"customer access\",\"domain\":\"german-local.net\",\"isProxy\":false,\"isp\":\"purtel.com gmbh\"},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"name@domain.com\",\"detailEntry\":null,\"displayName\":\"first last\",\"id\":\"id\",\"type\":\"User\"}],\"transaction\":{\"detail\":{},\"id\":\"id\",\"type\":\"WEB\"},\"uuid\":\"uuid\",\"version\":\"0\"}" - } - ] -} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log new file mode 100644 index 00000000000..5f0de357003 --- /dev/null +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log @@ -0,0 +1,17 @@ +{"actor":{"alternateId":"username@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"someusername@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"175.16.199.1","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"null","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"175.16.199.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"test@test.com","detailEntry":null,"displayName":"test@test.com","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"xxxxxx","interface":null,"issuer":null},"client":{"device":"Unknown","geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"UNKNOWN","os":"Unknown","rawUserAgent":"blah"},"zone":"null"},"debugContext":{"debugData":{"logOnlySecurityData":"{\"risk\":{\"reasons\":\"Anomalous Location, Anomalous Device\",\"level\":\"HIGH\"},\"behaviors\":{\"New Geo-Location\":\"POSITIVE\",\"New Device\":\"BAD_REQUEST\",\"New IP\":\"POSITIVE\",\"New State\":\"POSITIVE\",\"New Country\":\"POSITIVE\",\"Velocity\":\"NEGATIVE\",\"New City\":\"POSITIVE\"}}","originalPrincipal":{"alternateId":"test@test.com","detailEntry":null,"displayName":"Test","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:25:18.716Z","request":{"ipChain":[{"geographicalContext":{"city":"Ashburn","country":"United States","geolocation":{"lat":39.1469,"lon":-77.5903},"postalCode":"20149","state":"Virginia"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":14618,"asOrg":"amazon data services nova","domain":"amazonaws.com","isProxy":false,"isp":"amazon.com inc."},"severity":"INFO","target":null,"transaction":{"detail":{"requestApiTokenId":"MDU0ZTEyM2QwYjc2N2FiZDI2YzViZDRiODVkNGNhZDFkZjg4YjU2ZiAgLQo="},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"test1@test.com","detailEntry":null,"displayName":"None","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"id":null,"ipAddress":"67.43.156.14","userAgent":{"browser":"SAFARI","os":"Mac OS X (iPhone)","rawUserAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-05-11T09:27:08.708Z","request":{"ipChain":[{"geographicalContext":{"city":"Purcellville","country":"United States","geolocation":{"lat":39.64,"lon":-77.8346},"postalCode":"20132","state":"Virginia"},"ip":"67.43.156.14","source":null,"version":"V4"}]},"securityContext":{"asNumber":7922,"asOrg":"comcast","domain":"comcast.net","isProxy":false,"isp":"comcast"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"00u1abvz4pYqdM8ms4x6","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"Snipped_User@domain.com","detailEntry":null,"displayName":"Last_name, First_Name","id":"user_id","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102qmxOh1EdTHqn1_86CB9fzA","interface":null,"issuer":null},"client":{"device":"unknown","geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"id":null,"ipAddress":"81.2.69.144","userAgent":{"browser":"unknown","os":"unknown","rawUserAgent":"unknown"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","behaviors":"{New Geo-Location=NEGATIVE, New Device=POSITIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, Velocity=POSITIVE, New City=NEGATIVE}","dtHash":"751b157a5a24ed83129433243e8d42307434b047120c32d7a7f5a5d2d91726fa","requestId":"Y5elHFMngoYoVKvakwnp2wAAAKo","requestUri":"/api/v1/authn","risk":"{reasons=Anomalous Device, Anomalous Location, level=HIGH}","threatSuspected":"false","url":"/api/v1/authn?"}},"device":null,"displayMessage":"Verify user identity","eventType":"user.authentication.verify","legacyEventType":null,"outcome":{"reason":null,"result":"SUCCESS"},"published":"2022-12-12T22:03:08.791Z","request":{"ipChain":[{"geographicalContext":{"city":"City","country":"Country","geolocation":{"lat":0.00,"lon":0.00},"postalCode":"00000","state":"State"},"ip":"81.2.69.144","source":null,"version":"V4"}]},"securityContext":{"asNumber":1828,"asOrg":"org","domain":"domain.com","isProxy":false,"isp":"isp"},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"Y5elHFMngoYoVKvakwnp2wAAAKo","type":"WEB"},"uuid":"c32ae8ec-7a68-11ed-b8a7-9134a086ef85","version":"0"} +{"actor":{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":"OKTA_CREDENTIAL_PROVIDER","credentialType":null,"externalSessionId":"uuid","interface":null,"issuer":null},"client":{"device":"Mobile","geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"UNKNOWN","os":"Unknown mobile","rawUserAgent":"B7FdsdB65BN.com.okta.mobile/7.12.0 OktaVerify/7.12.0 iOS/16.1.2 Apple/iPhone14,2 6C743C36-ewew-400D-8FB9-A5F049A745CF"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"uuid","behaviors":"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}","factor":"OKTA_VERIFY_PUSH","requestId":"uuid","requestUri":"/api/v1/authn/factors/id/transactions/id/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/id/transactions/id/verify?"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:56:36.909Z","request":{"ipChain":[{"geographicalContext":{"city":"Lucerne","country":"Switzerland","geolocation":{"lat":47.0511,"lon":8.3056},"postalCode":"6007","state":"Lucerne"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":3303,"asOrg":"bluewin is an lir and isp in switzerland.","domain":"swisscom.ch","isProxy":false,"isp":"swisscom (schweiz) ag"},"severity":"INFO","target":[{"alternateId":"user@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"uuid","type":"WEB"},"uuid":"uuid","version":"0"} +{"actor":{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"},"authenticationContext":{"authenticationProvider":"FACTOR_PROVIDER","authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"id","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"id":null,"ipAddress":"127.0.0.1","userAgent":{"browser":"FIREFOX","os":"Linux","rawUserAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"id","behaviors":"{New Geo-Location=POSITIVE, New Device=NEGATIVE, New IP=POSITIVE, New State=NEGATIVE, Velocity Behavior=NEGATIVE, New Country=NEGATIVE, New City=POSITIVE}","deviceFingerprint":"id","dtHash":"hash","factor":"FIDO_WEBAUTHN","promptingPolicyTypes":"[OKTA_SIGN_ON]","requestId":"id","requestUri":"/api/v1/authn/factors/webauthn/verify","risk":"{level=LOW}","threatSuspected":"false","url":"/api/v1/authn/factors/webauthn/verify?rememberDevice=false"}},"device":null,"displayMessage":"Authentication of user via MFA","eventType":"user.authentication.auth_via_mfa","legacyEventType":"core.user.factor.attempt_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2023-02-06T08:58:37.110Z","request":{"ipChain":[{"geographicalContext":{"city":"Bredstedt","country":"Germany","geolocation":{"lat":54.6208,"lon":8.9631},"postalCode":"25821","state":"Schleswig-Holstein"},"ip":"127.0.0.1","source":null,"version":"V4"}]},"securityContext":{"asNumber":62336,"asOrg":"customer access","domain":"german-local.net","isProxy":false,"isp":"purtel.com gmbh"},"severity":"INFO","target":[{"alternateId":"name@domain.com","detailEntry":null,"displayName":"first last","id":"id","type":"User"}],"transaction":{"detail":{},"id":"id","type":"WEB"},"uuid":"uuid","version":"0"} \ No newline at end of file diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-config.yml b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-config.yml similarity index 100% rename from packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-config.yml rename to packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-config.yml diff --git a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json similarity index 54% rename from packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json rename to packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json index fba7bb1b97f..78a2fa24213 100644 --- a/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.json-expected.json +++ b/packages/okta/data_stream/system/_dev/test/pipeline/test-okta-system-events.log-expected.json @@ -30,7 +30,7 @@ ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"username@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "original": "{\"actor\":{\"alternateId\":\"username@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", "outcome": "success", "type": [ "end", @@ -153,7 +153,7 @@ } }, { - "@timestamp": "2020-02-14T22:18:51.843Z", + "@timestamp": "2020-02-14T20:18:57.718Z", "client": { "geo": { "city_name": "Dublin", @@ -168,37 +168,37 @@ "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", - "name": "someusername" + "name": "xxxxxx" } }, "ecs": { "version": "8.7.0" }, "event": { - "action": "user.session.end", + "action": "user.session.start", "category": [ "authentication", "session" ], - "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"someusername@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", "type": [ - "end", + "start", "user" ] }, "okta": { "actor": { - "alternate_id": "someusername@elastic.co", + "alternate_id": "xxxxxx@elastic.co", "display_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", "type": "User" }, "authentication_context": { "authentication_step": 0, - "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" }, "client": { "device": "Computer", @@ -212,21 +212,22 @@ }, "debug_context": { "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", "flattened": { - "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", - "requestUri": "/login/signout", + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", "threatSuspected": "false", - "url": "/login/signout?message=login_page_messages.session_has_expired" + "url": "/api/v1/authn?" }, - "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", - "request_uri": "/login/signout", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", "threat_suspected": "false", - "url": "/login/signout?message=login_page_messages.session_has_expired" + "url": "/api/v1/authn?" } }, - "display_message": "User logout from Okta", - "event_type": "user.session.end", + "display_message": "User login to Okta", + "event_type": "user.session.start", "outcome": { "result": "SUCCESS" }, @@ -249,18 +250,17 @@ ] }, "transaction": { - "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "type": "WEB" }, - "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" }, "related": { "ip": [ "175.16.199.1" ], "user": [ - "xxxxxx", - "someusername" + "xxxxxx" ] }, "source": { @@ -280,7 +280,7 @@ "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", - "name": "someusername" + "name": "xxxxxx" } }, "tags": [ @@ -288,7 +288,7 @@ ], "user": { "full_name": "xxxxxx", - "name": "someusername" + "name": "xxxxxx" }, "user_agent": { "device": { @@ -305,7 +305,7 @@ } }, { - "@timestamp": "2020-02-14T22:18:51.843Z", + "@timestamp": "2020-02-14T20:18:57.762Z", "client": { "geo": { "city_name": "Dublin", @@ -326,6 +326,171 @@ "ecs": { "version": "8.7.0" }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "someusername" + } + }, + "ecs": { + "version": "8.7.0" + }, "event": { "action": "user.session.end", "category": [ @@ -334,7 +499,7 @@ ], "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "original": "{\"actor\":{\"alternateId\":\"someusername@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", "outcome": "success", "type": [ "end", @@ -343,7 +508,7 @@ }, "okta": { "actor": { - "alternate_id": "xxxxxx@elastic.co", + "alternate_id": "someusername@elastic.co", "display_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", "type": "User" @@ -411,7 +576,8 @@ "175.16.199.1" ], "user": [ - "xxxxxx" + "xxxxxx", + "someusername" ] }, "source": { @@ -431,7 +597,7 @@ "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", - "name": "xxxxxx" + "name": "someusername" } }, "tags": [ @@ -439,7 +605,7 @@ ], "user": { "full_name": "xxxxxx", - "name": "xxxxxx" + "name": "someusername" }, "user_agent": { "device": { @@ -456,7 +622,7 @@ } }, { - "@timestamp": "2020-02-14T22:18:51.843Z", + "@timestamp": "2020-02-14T20:18:57.718Z", "client": { "geo": { "city_name": "Dublin", @@ -467,6 +633,7 @@ }, "region_name": "California" }, + "ip": "175.16.199.1", "user": { "full_name": "xxxxxx", "id": "00u1abvz4pYqdM8ms4x6", @@ -477,17 +644,17 @@ "version": "8.7.0" }, "event": { - "action": "user.session.end", + "action": "user.session.start", "category": [ "authentication", "session" ], - "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}\n{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", "outcome": "success", "type": [ - "end", + "start", "user" ] }, @@ -500,10 +667,11 @@ }, "authentication_context": { "authentication_step": 0, - "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" }, "client": { "device": "Computer", + "ip": "175.16.199.1", "user_agent": { "browser": "FIREFOX", "os": "Mac OS X", @@ -513,21 +681,22 @@ }, "debug_context": { "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", "flattened": { - "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", - "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", - "requestUri": "/login/signout", + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", "threatSuspected": "false", - "url": "/login/signout?message=login_page_messages.session_has_expired" + "url": "/api/v1/authn?" }, - "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", - "request_uri": "/login/signout", + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", "threat_suspected": "false", - "url": "/login/signout?message=login_page_messages.session_has_expired" + "url": "/api/v1/authn?" } }, - "display_message": "User logout from Okta", - "event_type": "user.session.end", + "display_message": "User login to Okta", + "event_type": "user.session.start", "outcome": { "result": "SUCCESS" }, @@ -550,10 +719,1073 @@ ] }, "transaction": { - "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", "type": "WEB" }, - "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "user" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"175.16.199.1\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "ip": "175.16.199.1", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "ip": [ + "175.16.199.1" + ], + "user": [ + "xxxxxx" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "user.session.end", + "category": [ + "authentication", + "session" + ], + "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "end", + "user" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102nZHzd6OHSfGG51vsoc22gw" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "flattened": { + "authnRequestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestId": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "requestUri": "/login/signout", + "threatSuspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + }, + "request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "request_uri": "/login/signout", + "threat_suspected": "false", + "url": "/login/signout?message=login_page_messages.session_has_expired" + } + }, + "display_message": "User logout from Okta", + "event_type": "user.session.end", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "type": "WEB" + }, + "uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "user.session.start", + "category": [ + "authentication", + "session" + ], + "id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "start", + "user" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "User login to Okta", + "event_type": "user.session.start", + "outcome": { + "result": "SUCCESS" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546" + }, + "related": { + "user": [ + "xxxxxx" + ] + }, + "source": { + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "full_name": "xxxxxx", + "name": "xxxxxx" + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Firefox", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "os": { + "full": "Mac OS X 10.15", + "name": "Mac OS X", + "version": "10.15" + }, + "version": "72.0." + } + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client": { + "geo": { + "city_name": "Dublin", + "country_name": "United States", + "location": { + "lat": 37.7201, + "lon": -121.919 + }, + "region_name": "California" + }, + "user": { + "full_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "name": "xxxxxx" + } + }, + "ecs": { + "version": "8.7.0" + }, + "event": { + "action": "policy.evaluate_sign_on", + "category": [ + "authentication" + ], + "id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "kind": "event", + "original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"null\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"175.16.199.1\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "okta": { + "actor": { + "alternate_id": "xxxxxx@elastic.co", + "display_name": "xxxxxx", + "id": "00u1abvz4pYqdM8ms4x6", + "type": "User" + }, + "authentication_context": { + "authentication_step": 0, + "external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ" + }, + "client": { + "device": "Computer", + "user_agent": { + "browser": "FIREFOX", + "os": "Mac OS X", + "raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0" + }, + "zone": "null" + }, + "debug_context": { + "debug_data": { + "device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "flattened": { + "deviceFingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "requestId": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "requestUri": "/api/v1/authn", + "threatSuspected": "false", + "url": "/api/v1/authn?" + }, + "request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "request_uri": "/api/v1/authn", + "threat_suspected": "false", + "url": "/api/v1/authn?" + } + }, + "display_message": "Evaluation of sign-on policy", + "event_type": "policy.evaluate_sign_on", + "outcome": { + "reason": "Sign-on policy evaluation resulted in ALLOW", + "result": "ALLOW" + }, + "request": { + "ip_chain": [ + { + "geographical_context": { + "city": "Dublin", + "country": "United States", + "geolocation": { + "lat": 37.7201, + "lon": -121.919 + }, + "postal_code": "94568", + "state": "California" + }, + "ip": "175.16.199.1", + "version": "V4" + } + ] + }, + "target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "transaction": { + "id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "type": "WEB" + }, + "uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546" }, "related": { "user": [ @@ -809,7 +2041,7 @@ "action": "user.authentication.verify", "id": "faf7398a-4f77-11ea-97fb-5925e98228bd", "kind": "event", - "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "original": "{\"actor\":{\"alternateId\":\"test1@test.com\",\"detailEntry\":null,\"displayName\":\"None\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Mobile\",\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"id\":null,\"ipAddress\":\"67.43.156.14\",\"userAgent\":{\"browser\":\"SAFARI\",\"os\":\"Mac OS X (iPhone)\",\"rawUserAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 15_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Safari\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"behaviors\":\"{New Geo-Location=NEGATIVE, New Device=NEGATIVE, New IP=NEGATIVE, New State=NEGATIVE, New Country=NEGATIVE, New City=NEGATIVE}\",\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify\",\"risk\":\"{level=LOW}\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn/factors/ZmZmOTQ3Yjk5MTh/verify?autoPush=false\\u0026rememberDevice=false\"}},\"device\":null,\"displayMessage\":\"Verify user identity\",\"eventType\":\"user.authentication.verify\",\"legacyEventType\":null,\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2022-05-11T09:27:08.708Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Purcellville\",\"country\":\"United States\",\"geolocation\":{\"lat\":39.64,\"lon\":-77.8346},\"postalCode\":\"20132\",\"state\":\"Virginia\"},\"ip\":\"67.43.156.14\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":7922,\"asOrg\":\"comcast\",\"domain\":\"comcast.net\",\"isProxy\":false,\"isp\":\"comcast\"},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", "outcome": "success" }, "okta": { diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index f73d5317c21..bc34ce6c482 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.1" + changes: + - description: Fix ingest pipeline to map threat type correctly + type: bugfix + link: https://github.com/elastic/integrations/pull/5910 - version: "1.10.0" changes: - description: Update package to ECS 8.7.0. diff --git a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index c58890e6219..febab029f87 100644 --- a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -82,12 +82,29 @@ processors: - "^\\[%{SHA1}\\]" - "^\\[%{SHA1} OR %{SHA256}\\]" - "^\\[%{SHA256}\\]" - - "^\\[%{DATA:threat.indicator.type}:value%{SPACE}=%{SPACE}'%{DATA:_temp_.threatvalue}'\\]" + - "^\\[%{DATA:_temp_.type}:value%{SPACE}=%{SPACE}'%{DATA:_temp_.threatvalue}'\\]" pattern_definitions: - MD5: "%{DATA:threat.indicator.type}:hashes.MD5%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.md5}'" - SHA1: "%{DATA:threat.indicator.type}:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha1}'" - SHA256: "%{DATA:threat.indicator.type}:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha256}'" + MD5: "%{DATA:_temp_.type}:hashes.MD5%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.md5}'" + SHA1: "%{DATA:_temp_.type}:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha1}'" + SHA256: "%{DATA:_temp_.type}:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha256}'" if: ctx.cybersixgill?.pattern != null + - set: + field: threat.indicator.type + copy_from: _temp_.type + if: | + ctx?._temp_?.type != null && + ctx?._temp_?.type instanceof String + - foreach: + field: _temp_.type + if: | + ctx?._temp_?.type != null && + ctx?._temp_?.type instanceof List + processor: + set: + field: threat.indicator.type + value: "{{_ingest._value}}" + override: false + ignore_missing: true - rename: field: _temp_.threatvalue target_field: threat.indicator.ip diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index d637336c71f..ab5c279f6ed 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,6 +1,6 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.10.0" +version: "1.10.1" release: ga description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration