diff --git a/packages/carbon_black_cloud/0.1.0/changelog.yml b/packages/carbon_black_cloud/0.1.0/changelog.yml
new file mode 100755
index 0000000000..01f7b8a94a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial draft of the package.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2760
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2f738b21a6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,52 @@
+config_version: 2
+interval: {{interval}}
+request.timeout: 2m
+request.method: POST
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{custom_api_secret_key}}/{{custom_api_id}}
+ - set:
+ target: body.criteria.last_update_time.start
+ value: '[[.cursor.last_update_timestamp]]'
+ default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]'
+ - set:
+ target: body.criteria.last_update_time.end
+ value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]'
+ - set:
+ target: body.sort
+ value: '[{ "field": "last_update_time", "order": "ASC"}]'
+ value_type: json
+response.pagination:
+ - set:
+ target: body.criteria.last_update_time.start
+ value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]'
+ fail_on_template_error: true
+cursor:
+ last_update_timestamp:
+ value: '[[.last_event.last_update_time]]'
+response.split:
+ target: body.results
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..e221f8910f
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,294 @@
+---
+description: Pipeline for parsing Carbon Black Cloud alerts.
+processors:
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - fingerprint:
+ fields:
+ - json.id
+ - json.create_time
+ - json.last_update_time
+ target_field: _id
+ ignore_missing: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - set:
+ field: event.kind
+ value: alert
+ - rename:
+ field: json.id
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.first_event_time
+ target_field: event.start
+ ignore_missing: true
+ - rename:
+ field: json.last_event_time
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: json.severity
+ target_field: event.severity
+ ignore_missing: true
+ - urldecode:
+ field: json.alert_url
+ target_field: event.url
+ ignore_missing: true
+ - rename:
+ field: json.reason
+ target_field: event.reason
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - set:
+ field: event.kind
+ value: alert
+ - rename:
+ field: json.device_os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.device_username
+ target_field: user.name
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{{user.name}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hash
+ value:
+ - "{{{json.threat_cause_actor_md5}}}"
+ - "{{{json.threat_cause_actor_sha256}}}"
+ allow_duplicates: false
+ - rename:
+ field: json.process_name
+ target_field: process.name
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.vendor_name
+ target_field: carbon_black_cloud.alert.vendor_name
+ ignore_missing: true
+ - rename:
+ field: json.product_name
+ target_field: carbon_black_cloud.alert.product_name
+ ignore_missing: true
+ - rename:
+ field: json.serial_number
+ target_field: carbon_black_cloud.alert.serial_number
+ ignore_missing: true
+ - rename:
+ field: json.policy_id
+ target_field: carbon_black_cloud.alert.policy.id
+ ignore_missing: true
+ - rename:
+ field: json.policy_name
+ target_field: carbon_black_cloud.alert.policy.name
+ ignore_missing: true
+ - rename:
+ field: json.threat_id
+ target_field: carbon_black_cloud.alert.threat_id
+ ignore_missing: true
+ - rename:
+ field: json.policy_applied
+ target_field: carbon_black_cloud.alert.policy.applied
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_c2
+ target_field: carbon_black_cloud.alert.threat_activity.c2
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_dlp
+ target_field: carbon_black_cloud.alert.threat_activity.dlp
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_phish
+ target_field: carbon_black_cloud.alert.threat_activity.phish
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_name
+ target_field: carbon_black_cloud.alert.threat_cause.actor.name
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_process_pid
+ target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_sha256
+ target_field: carbon_black_cloud.alert.threat_cause.actor.sha256
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_md5
+ target_field: carbon_black_cloud.alert.threat_cause.actor.md5
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_cause_event_id
+ target_field: carbon_black_cloud.alert.threat_cause.cause_event_id
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_parent_guid
+ target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_process_guid
+ target_field: carbon_black_cloud.alert.threat_cause.process.guid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_reputation
+ target_field: carbon_black_cloud.alert.threat_cause.reputation
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_threat_category
+ target_field: carbon_black_cloud.alert.threat_cause.threat_category
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_vector
+ target_field: carbon_black_cloud.alert.threat_cause.vector
+ ignore_missing: true
+ - rename:
+ field: json.ioc_field
+ target_field: carbon_black_cloud.alert.ioc.field
+ ignore_missing: true
+ - rename:
+ field: json.ioc_hit
+ target_field: carbon_black_cloud.alert.ioc.hit
+ ignore_missing: true
+ - rename:
+ field: json.ioc_id
+ target_field: carbon_black_cloud.alert.ioc.id
+ ignore_missing: true
+ - rename:
+ field: json.report_id
+ target_field: carbon_black_cloud.alert.report.id
+ ignore_missing: true
+ - rename:
+ field: json.report_name
+ target_field: carbon_black_cloud.alert.report.name
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.alert.organization_key
+ ignore_missing: true
+ - rename:
+ field: json.device_location
+ target_field: carbon_black_cloud.alert.device.location
+ ignore_missing: true
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.alert.device.os
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.alert.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.alert.device.external_ip
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - lowercase:
+ field: json.category
+ ignore_missing: true
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.alert
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.alert.create_time
+ - carbon_black_cloud.alert.device_id
+ - carbon_black_cloud.alert.alert_url
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/base-fields.yml
new file mode 100755
index 0000000000..14fb618ea4
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.alert
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/ecs.yml
new file mode 100755
index 0000000000..b2ddcd3746
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/ecs.yml
@@ -0,0 +1,107 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ URL linking to an external system to continue investigation of this event.
+ This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+ name: event.url
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/fields.yml
new file mode 100755
index 0000000000..3eca3a1515
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/fields/fields.yml
@@ -0,0 +1,218 @@
+- name: carbon_black_cloud.alert
+ type: group
+ fields:
+ - name: blocked_threat_category
+ type: keyword
+ description: The category of threat which we were able to take action on.
+ - name: category
+ type: keyword
+ description: The category of the alert.
+ - name: count
+ type: long
+ - name: created_by_event_id
+ type: keyword
+ description: Event identifier that initiated the alert.
+ - name: device
+ type: group
+ fields:
+ - name: location
+ type: keyword
+ description: The Location of device.
+ - name: os
+ type: keyword
+ description: OS of the device.
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: document_guid
+ type: keyword
+ description: Unique ID of document.
+ - name: ioc
+ type: group
+ fields:
+ - name: field
+ type: keyword
+ description: The field the indicator of comprise (IOC) hit contains.
+ - name: hit
+ type: keyword
+ description: IOC field value or IOC query that matches.
+ - name: id
+ type: keyword
+ description: The identifier of the IOC that cause the hit.
+ - name: kill_chain_status
+ type: keyword
+ description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert.
+ - name: last_update_time
+ type: date
+ description: The last time the alert was updated as an ISO 8601 UTC timestamp.
+ - name: legacy_alert_id
+ type: keyword
+ description: The legacy identifier for the alert.
+ - name: not_blocked_threat_category
+ type: keyword
+ description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule).
+ - name: notes_present
+ type: boolean
+ description: Indicates if notes are associated with the threat_id.
+ - name: organization_key
+ type: keyword
+ description: The unique identifier for the organization associated with the alert.
+ - name: policy
+ type: group
+ fields:
+ - name: applied
+ type: keyword
+ description: Whether a policy was applied.
+ - name: id
+ type: long
+ description: The identifier for the policy associated with the device at the time of the alert.
+ - name: name
+ type: keyword
+ description: The name of the policy associated with the device at the time of the alert.
+ - name: product_id
+ type: keyword
+ description: The hexadecimal id of the USB device's product.
+ - name: product_name
+ type: keyword
+ description: The name of the USB device’s vendor.
+ - name: reason_code
+ type: keyword
+ description: Shorthand enum for the full-text reason.
+ - name: report
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier of the report that contains the IOC.
+ - name: name
+ type: keyword
+ description: The name of the report that contains the IOC.
+ - name: run_state
+ type: keyword
+ description: Whether the threat in the alert ran.
+ - name: sensor_action
+ type: keyword
+ description: The action taken by the sensor, according to the rule of the policy.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the USB device.
+ - name: status
+ type: keyword
+ description: status of alert.
+ - name: tags
+ type: keyword
+ description: Tags associated with the alert.
+ - name: target_value
+ type: keyword
+ description: The priority of the device assigned by the policy.
+ - name: threat_activity
+ type: group
+ fields:
+ - name: c2
+ type: keyword
+ description: Whether the alert involved a command and control (c2) server.
+ - name: dlp
+ type: keyword
+ description: Whether the alert involved data loss prevention (DLP).
+ - name: phish
+ type: keyword
+ description: Whether the alert involved phishing.
+ - name: threat_cause
+ type: group
+ fields:
+ - name: actor
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: MD5 of the threat cause actor.
+ - name: name
+ type: keyword
+ description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.'
+ - name: process_pid
+ type: keyword
+ description: Process identifier (PID) of the actor process.
+ - name: sha256
+ type: keyword
+ description: SHA256 of the threat cause actor.
+ - name: cause_event_id
+ type: keyword
+ description: ID of the Event that triggered the threat.
+ - name: process
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: The global unique identifier of the process.
+ - name: parent
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: The global unique identifier of the process.
+ - name: reputation
+ type: keyword
+ description: Reputation of the threat cause.
+ - name: threat_category
+ type: keyword
+ description: Category of the threat cause.
+ - name: vector
+ type: keyword
+ description: The source of the threat cause.
+ - name: threat_id
+ type: keyword
+ description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices.
+ - name: threat_indicators
+ type: group
+ description: List of the threat indicators that make up the threat.
+ fields:
+ - name: process_name
+ type: keyword
+ description: Process name associated with threat.
+ - name: sha256
+ type: keyword
+ description: Sha256 associated with threat.
+ - name: ttps
+ type: keyword
+ description: Tactics, techniques and procedures associated with threat.
+ - name: type
+ type: keyword
+ description: Type of alert.
+ - name: vendor_id
+ type: keyword
+ description: The hexadecimal id of the USB device's vendor.
+ - name: vendor_name
+ type: keyword
+ description: The name of the USB device’s vendor.
+ - name: watchlists
+ type: group
+ description: List of watchlists associated with an alert.
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier of watchlist.
+ - name: name
+ type: keyword
+ description: The name of the watchlist.
+ - name: workflow
+ type: group
+ description: Tracking system for alerts as they are triaged and resolved.
+ fields:
+ - name: changed_by
+ type: keyword
+ description: The name of user who changed the workflow.
+ - name: comment
+ type: keyword
+ description: Comment associated with workflow.
+ - name: last_update_time
+ type: date
+ description: The last update time of workflow.
+ - name: remediation
+ type: keyword
+ description: N/A
+ - name: state
+ type: keyword
+ description: The state of workflow.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/0.1.0/data_stream/alert/manifest.yml
new file mode 100755
index 0000000000..477667ce22
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/manifest.yml
@@ -0,0 +1,95 @@
+title: Alert
+type: logs
+streams:
+ - input: httpjson
+ title: Collect alerts from Carbon Black Cloud
+ description: Collect alerts from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch alerts from Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ description: How far back to pull the alerts from the Carbon Black Cloud API.
+ default: 24h
+ multi: false
+ required: true
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-alert
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: aws-s3
+ title: Collect alerts from Carbon Black Cloud
+ description: Collect alerts from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch alerts from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-alert
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/0.1.0/data_stream/alert/sample_event.json
new file mode 100755
index 0000000000..0fe469f67e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/alert/sample_event.json
@@ -0,0 +1,113 @@
+{
+ "@timestamp": "2020-11-17T22:05:13.000Z",
+ "agent": {
+ "ephemeral_id": "3102b667-53be-4efc-b035-9d72bef2853f",
+ "hostname": "docker-fleet-agent",
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "alert": {
+ "category": "warning",
+ "device": {
+ "external_ip": "81.2.69.143",
+ "internal_ip": "81.2.69.144",
+ "location": "UNKNOWN",
+ "os": "WINDOWS"
+ },
+ "last_update_time": "2020-11-17T22:05:13Z",
+ "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+ "organization_key": "ABCD6X3T",
+ "policy": {
+ "applied": "APPLIED",
+ "id": 6997287,
+ "name": "Standard"
+ },
+ "product_id": "0x5406",
+ "product_name": "U3 Cruzer Micro",
+ "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+ "run_state": "DID_NOT_RUN",
+ "sensor_action": "DENY",
+ "serial_number": "0875920EF7C2A304",
+ "target_value": "MEDIUM",
+ "threat_cause": {
+ "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+ "threat_category": "NON_MALWARE",
+ "vector": "REMOVABLE_MEDIA"
+ },
+ "threat_id": "t5678",
+ "type": "DEVICE_CONTROL",
+ "vendor_id": "0x0781",
+ "vendor_name": "SanDisk",
+ "workflow": {
+ "changed_by": "Carbon Black",
+ "last_update_time": "2020-11-17T22:02:16Z",
+ "state": "OPEN"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.alert",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-05T10:25:54.372Z",
+ "dataset": "carbon_black_cloud.alert",
+ "end": "2020-11-17T22:02:16Z",
+ "id": "test1",
+ "ingested": "2022-04-05T10:25:57Z",
+ "kind": "alert",
+ "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+ "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+ "severity": 3,
+ "start": "2020-11-17T22:02:16Z",
+ "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+ },
+ "host": {
+ "hostname": "DESKTOP-002",
+ "id": "2",
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "os": {
+ "type": "windows",
+ "version": "Windows 10 x64"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-002"
+ ],
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "user": [
+ "test34@demo.com"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-alert"
+ ],
+ "user": {
+ "name": "test34@demo.com"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..310b6e05d5
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,45 @@
+config_version: 2
+interval: {{interval}}
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{custom_api_secret_key}}/{{custom_api_id}}
+ - set:
+ target: body.start
+ value: '0'
+ value_type: int
+ - set:
+ target: body.rows
+ value: '10000'
+ value_type: int
+request.timeout: 2m
+response.pagination:
+ - set:
+ target: body.start
+ value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]'
+ value_type: int
+ fail_on_template_error: true
+response.split:
+ target: body.results
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..94f7482f37
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,132 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary.
+processors:
+- rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+- set:
+ field: ecs.version
+ value: '8.0.0'
+- json:
+ field: event.original
+ target_field: json
+- rename:
+ field: json.host_name
+ target_field: host.hostname
+ ignore_missing: true
+- convert:
+ field: json.device_id
+ type: string
+ target_field: host.id
+ ignore_missing: true
+- rename:
+ field: json.name
+ target_field: host.name
+ ignore_missing: true
+- rename:
+ field: json.os_info.os_name
+ target_field: host.os.name
+ ignore_missing: true
+- set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.os_info.os_type == "WINDOWS"
+- set:
+ field: host.os.type
+ value: ubuntu
+ if: ctx?.json?.os_info.os_type == "UBUNTU"
+- set:
+ field: host.os.type
+ value: centos
+ if: ctx?.json?.os_info.os_type == "CENTOS"
+- remove :
+ field: json.os_info.os_type
+ ignore_missing: true
+- remove :
+ field: json.device_id
+ ignore_missing: true
+- rename:
+ field: json.os_info.os_version
+ target_field: host.os.version
+ ignore_missing: true
+- rename:
+ field: json.highest_risk_score
+ target_field: vulnerability.score.base
+ ignore_missing: true
+- rename:
+ field: json.severity
+ target_field: vulnerability.severity
+ ignore_missing: true
+- date:
+ field: json.last_sync_ts
+ formats:
+ - ISO8601
+ target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp
+- remove:
+ field: json.last_sync_ts
+ ignore_missing: true
+- rename:
+ field: json.sync_status
+ target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status
+ ignore_missing: true
+- rename:
+ field: json.sync_type
+ target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type
+ ignore_missing: true
+- rename:
+ field: json.type
+ target_field: carbon_black_cloud.asset_vulnerability_summary.type
+ ignore_missing: true
+- rename:
+ field: json.vm_id
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id
+ ignore_missing: true
+- rename:
+ field: json.vm_name
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name
+ ignore_missing: true
+- rename:
+ field: json.vuln_count
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count
+ ignore_missing: true
+- append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+- script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue();
+ }
+- remove:
+ field: json
+ ignore_missing: true
+- script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+- remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_missing: true
+on_failure:
+- set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml
new file mode 100755
index 0000000000..e6791517a6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: carbon_black_cloud.asset_vulnerability_summary
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/ecs.yml
new file mode 100755
index 0000000000..bae6099a14
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/ecs.yml
@@ -0,0 +1,57 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+ Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+ name: vulnerability.score.base
+ type: float
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.severity
+ type: keyword
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/fields.yml
new file mode 100755
index 0000000000..a70b2974e8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/fields/fields.yml
@@ -0,0 +1,39 @@
+- name: carbon_black_cloud.asset_vulnerability_summary
+ type: group
+ fields:
+ - name: os_info
+ type: group
+ fields:
+ - name: os_arch
+ type: keyword
+ description: The identifier is for the Operating system architecture.
+ - name: last_sync
+ type: group
+ fields:
+ - name: timestamp
+ type: date
+ description: The identifier is for the Last sync time.
+ - name: sync
+ type: group
+ fields:
+ - name: status
+ type: keyword
+ description: The identifier is for the Device sync status.
+ - name: type
+ type: keyword
+ description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync.
+ - name: type
+ type: keyword
+ description: The identifier is for the Device type.
+ - name: vm
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier is for the Virtual Machine ID.
+ - name: name
+ type: keyword
+ description: The identifier is for the Virtual Machine name.
+ - name: vuln_count
+ type: integer
+ description: The identifier is for the Number of vulnerabilities at this level.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/manifest.yml
new file mode 100755
index 0000000000..b7bf78f84d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/manifest.yml
@@ -0,0 +1,42 @@
+title: Asset Vulnerability Summary
+type: logs
+streams:
+ - input: httpjson
+ title: Collect asset vulnerability summary from Carbon Black Cloud
+ description: Collect asset vulnerability summary from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to query asset vulnerability summary in Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1h
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-asset-vulnerability-summary
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/sample_event.json
new file mode 100755
index 0000000000..054b5b4ed5
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/asset_vulnerability_summary/sample_event.json
@@ -0,0 +1,76 @@
+{
+ "@timestamp": "2022-04-05T12:07:27.035Z",
+ "agent": {
+ "ephemeral_id": "90b0b6ec-10f9-41d4-94a5-b47c68f6b376",
+ "hostname": "docker-fleet-agent",
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "asset_vulnerability_summary": {
+ "last_sync": {
+ "timestamp": "2022-01-17T08:33:37.384Z"
+ },
+ "os_info": {
+ "os_arch": "64-bit"
+ },
+ "sync": {
+ "status": "COMPLETED",
+ "type": "SCHEDULED"
+ },
+ "type": "ENDPOINT",
+ "vuln_count": 1770
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-05T12:07:27.035Z",
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "ingested": "2022-04-05T12:07:27Z",
+ "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+ },
+ "host": {
+ "hostname": "DESKTOP-008",
+ "id": "8",
+ "name": "DESKTOP-008KK",
+ "os": {
+ "name": "Microsoft Windows 10 Education",
+ "type": "windows",
+ "version": "10.0.17763"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-008"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-asset-vulnerability-summary"
+ ],
+ "vulnerability": {
+ "score": {
+ "base": 10
+ },
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2693bd2bbb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,32 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/integrationServices/v3/auditlogs
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{api_secret_key}}/{{api_id}}
+response.split:
+ target: body.notifications
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..09c8373acb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,93 @@
+---
+description: Pipeline for parsing Carbon Black Cloud audit logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.eventTime
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - UNIX_MS
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.outcome
+ value: success
+ - set:
+ field: event.outcome
+ value: failed
+ if: ctx?.json?.flagged == true
+ - rename:
+ field: json.description
+ target_field: event.reason
+ - rename:
+ field: json.clientIp
+ target_field: client.ip
+ ignore_missing: true
+ - rename:
+ field: json.loginName
+ target_field: client.user.id
+ ignore_missing: true
+ - rename:
+ field: json.eventId
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.orgName
+ target_field: organization.name
+ ignore_missing: true
+ - urldecode:
+ field: json.requestUrl
+ target_field: url.original
+ ignore_missing: true
+ - rename:
+ field: json.verbose
+ target_field: carbon_black_cloud.audit.verbose
+ ignore_missing: true
+ - rename:
+ field: json.flagged
+ target_field: carbon_black_cloud.audit.flagged
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value: "{{{client.ip}}}"
+ allow_duplicates: false
+ - remove:
+ field: json
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..a14e71251a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.audit
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..b5cd2cc086
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,55 @@
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
+- description: Unique identifier of the user.
+ name: client.user.id
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: organization.name
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..24af5d42b9
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/fields/fields.yml
@@ -0,0 +1,9 @@
+- name: carbon_black_cloud.audit
+ type: group
+ fields:
+ - name: flagged
+ type: boolean
+ description: true if action is failed otherwise false.
+ - name: verbose
+ type: boolean
+ description: true if verbose audit log otherwise false.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/0.1.0/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..929093a4ef
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/manifest.yml
@@ -0,0 +1,42 @@
+title: Audit
+type: logs
+streams:
+ - input: httpjson
+ title: Collect audit logs from Carbon Black Cloud
+ description: Collect audit logs from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch audit logs from Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/0.1.0/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..5c1a9fe549
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/audit/sample_event.json
@@ -0,0 +1,62 @@
+{
+ "@timestamp": "2022-02-10T16:04:30.263Z",
+ "agent": {
+ "ephemeral_id": "73949384-44ec-4f97-ad25-de968d945811",
+ "id": "926269e0-99fc-41d6-aee2-6eed3c276741",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "audit": {
+ "flagged": false,
+ "verbose": false
+ }
+ },
+ "client": {
+ "ip": "10.10.10.10",
+ "user": {
+ "id": "abc@demo.com"
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "926269e0-99fc-41d6-aee2-6eed3c276741",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-03-14T03:11:56.654Z",
+ "dataset": "carbon_black_cloud.audit",
+ "id": "2122f8ce8xxxxxxxxxxxxx",
+ "ingested": "2022-03-14T03:12:00Z",
+ "kind": "event",
+ "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+ "outcome": "success",
+ "reason": "Logged in successfully"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "organization": {
+ "name": "cb-xxxx-xxxx.com"
+ },
+ "related": {
+ "ip": [
+ "10.10.10.10"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-audit"
+ ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..ace560f554
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,575 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Endpoint Events.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - rename:
+ field: json.action
+ target_field: event.action
+ ignore_missing: true
+ - rename:
+ field: json.event_id
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.event_description
+ target_field: event.reason
+ ignore_missing: true
+ - rename:
+ field: json.filemod_name
+ target_field: file.path
+ ignore_missing: true
+ - rename:
+ field: json.modload_name
+ target_field: dll.path
+ ignore_missing: true
+ - set:
+ field: network.transport
+ value: udp
+ if: ctx?.json?.netconn_protocol == "PROTO_UDP"
+ - set:
+ field: network.transport
+ value: tcp
+ if: ctx?.json?.netconn_protocol == "PROTO_TCP"
+ - set:
+ field: network.direction
+ value: inbound
+ if: ctx?.json?.netconn_inbound == true
+ - set:
+ field: network.direction
+ value: outbound
+ if: ctx?.json?.netconn_inbound == false
+ - rename:
+ field: json.remote_port
+ target_field: source.port
+ ignore_missing: true
+ - rename:
+ field: json.remote_ip
+ target_field: source.ip
+ ignore_missing: true
+ - rename:
+ field: json.netconn_domain
+ target_field: source.address
+ ignore_missing: true
+ - rename:
+ field: json.local_port
+ target_field: client.port
+ ignore_missing: true
+ - rename:
+ field: json.local_ip
+ target_field: client.ip
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - rename:
+ field: json.device_group
+ target_field: host.os.family
+ ignore_missing: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.device_group
+ target_field: host.os.family
+ ignore_missing: true
+ - rename:
+ field: json.process_cmdline
+ target_field: process.command_line
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_pid
+ target_field: process.pid
+ ignore_missing: true
+ - rename:
+ field: json.parent_cmdline
+ target_field: process.parent.command_line
+ ignore_missing: true
+ - rename:
+ field: json.parent_guid
+ target_field: process.parent.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.parent_path
+ target_field: process.parent.executable
+ ignore_missing: true
+ - rename:
+ field: json.parent_pid
+ target_field: process.parent.pid
+ ignore_missing: true
+ - rename:
+ field: json.regmod_name
+ target_field: registry.path
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ - "{{{json.netconn_proxy_ip}}}"
+ - "{{{source.ip}}}"
+ - "{{{client.ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value:
+ - "{{{json.process_username}}}"
+ - "{{{json.childproc_username}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+ - script:
+ description: Dynamically map MD5 and SHA256 hash
+ lang: painless
+ source: |
+ void mapHashField(def ctx, def hashes, def key) {
+ for (hash in hashes) {
+ if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+ if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+ }
+ }
+ if (ctx.json?.process_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+ }
+ if (ctx.json?.parent_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+ }
+ if (ctx.json?.filemod_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash");
+ }
+ if (ctx.json?.childproc_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash");
+ }
+ if (ctx.json?.crossproc_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash");
+ }
+ if (ctx.json?.scriptload_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash");
+ }
+ - rename:
+ field: json.process_hash_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.process_hash_sha256
+ target_field: process.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_sha256
+ target_field: process.parent.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.backend_timestamp
+ target_field: carbon_black_cloud.endpoint_event.backend.timestamp
+ ignore_missing: true
+ - rename:
+ field: json.device_timestamp
+ target_field: carbon_black_cloud.endpoint_event.device.timestamp
+ ignore_missing: true
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.endpoint_event.device.os
+ ignore_missing: true
+ - rename:
+ field: json.childproc_name
+ target_field: carbon_black_cloud.endpoint_event.childproc.name
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.endpoint_event.organization_key
+ ignore_missing: true
+ - rename:
+ field: json.process_duration
+ target_field: carbon_black_cloud.endpoint_event.process.duration
+ ignore_missing: true
+ - foreach:
+ field: json.process_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.process_publisher
+ target_field: carbon_black_cloud.endpoint_event.process.publisher
+ ignore_missing: true
+ - rename:
+ field: json.process_reputation
+ target_field: carbon_black_cloud.endpoint_event.process.reputation
+ ignore_missing: true
+ - rename:
+ field: json.process_terminated
+ target_field: carbon_black_cloud.endpoint_event.process.terminated
+ ignore_missing: true
+ - rename:
+ field: json.process_username
+ target_field: carbon_black_cloud.endpoint_event.process.username
+ ignore_missing: true
+ - rename:
+ field: json.parent_reputation
+ target_field: carbon_black_cloud.endpoint_event.process.parent.reputation
+ ignore_missing: true
+ - rename:
+ field: json.target_cmdline
+ target_field: carbon_black_cloud.endpoint_event.target_cmdline
+ ignore_missing: true
+ - rename:
+ field: json.type
+ target_field: carbon_black_cloud.endpoint_event.type
+ ignore_missing: true
+
+# Mapping for endpoint.event.crossproc event type
+
+ - rename:
+ field: json.crossproc_action
+ target_field: carbon_black_cloud.endpoint_event.crossproc.action
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_api
+ target_field: carbon_black_cloud.endpoint_event.crossproc.api
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_guid
+ target_field: carbon_black_cloud.endpoint_event.crossproc.guid
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_name
+ target_field: carbon_black_cloud.endpoint_event.crossproc.name
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_target
+ target_field: carbon_black_cloud.endpoint_event.crossproc.target
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_reputation
+ target_field: carbon_black_cloud.endpoint_event.crossproc.reputation
+ ignore_missing: true
+ - foreach:
+ field: json.crossproc_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.crossproc_publisher
+ target_field: carbon_black_cloud.endpoint_event.crossproc.publisher
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.filemod event type
+
+ - rename:
+ field: json.filemod_hash_md5
+ target_field: file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.filemod_hash_sha256
+ target_field: file.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.fileless_scriptload event type
+
+ - rename:
+ field: json.fileless_scriptload_cmdline
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_cmdline_length
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.moduleload event type
+
+ - rename:
+ field: json.modload_md5
+ target_field: dll.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.modload_sha256
+ target_field: dll.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.modload_effective_reputation
+ target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation
+ ignore_missing: true
+ - rename:
+ field: json.modload_count
+ target_field: carbon_black_cloud.endpoint_event.modload.count
+ ignore_missing: true
+ - foreach:
+ field: json.modload_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.modload_publisher
+ target_field: carbon_black_cloud.endpoint_event.modload.publisher
+ ignore_missing: true
+
+# Mapping for endpoint.event.netconn_proxy event type
+
+ - rename:
+ field: json.netconn_proxy_domain
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain
+ ignore_missing: true
+ - rename:
+ field: json.netconn_proxy_port
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port
+ ignore_missing: true
+ - rename:
+ field: json.netconn_proxy_ip
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip
+ ignore_missing: true
+
+# Mapping for endpoint.event.procstart event type
+
+ - rename:
+ field: json.childproc_guid
+ target_field: carbon_black_cloud.endpoint_event.childproc.guid
+ ignore_missing: true
+ - rename:
+ field: json.childproc_name
+ target_field: carbon_black_cloud.endpoint_event.childproc.name
+ ignore_missing: true
+ - rename:
+ field: json.childproc_pid
+ target_field: carbon_black_cloud.endpoint_event.childproc.pid
+ ignore_missing: true
+ - foreach:
+ field: json.childproc_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.childproc_publisher
+ target_field: carbon_black_cloud.endpoint_event.childproc.publisher
+ ignore_missing: true
+ - rename:
+ field: json.childproc_reputation
+ target_field: carbon_black_cloud.endpoint_event.childproc.reputation
+ ignore_missing: true
+ - rename:
+ field: json.childproc_username
+ target_field: carbon_black_cloud.endpoint_event.childproc.username
+ ignore_missing: true
+ - rename:
+ field: json.childproc_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.childproc_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256
+ ignore_missing: true
+
+# Mapping for NGAV endpoint.event.scriptload event type
+
+ - rename:
+ field: json.scriptload_name
+ target_field: carbon_black_cloud.endpoint_event.scriptload.name
+ ignore_missing: true
+ - foreach:
+ field: json.scriptload_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.scriptload_publisher
+ target_field: carbon_black_cloud.endpoint_event.scriptload.publisher
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_count
+ target_field: carbon_black_cloud.endpoint_event.scriptload.count
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_effective_reputation
+ target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_reputation
+ target_field: carbon_black_cloud.endpoint_event.scriptload.reputation
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.endpoint_event.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.endpoint_event.device.external_ip
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ - append:
+ field: related.hash
+ value:
+ - "{{{process.hash.md5}}}"
+ - "{{{process.hash.sha256}}}"
+ - "{{{process.parent.hash.md5}}}"
+ - "{{{process.parent.hash.sha256}}}"
+ - "{{{file.hash.md5}}}"
+ - "{{{file.hash.sha256}}}"
+ - "{{{dll.hash.md5}}}"
+ - "{{{dll.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}"
+ allow_duplicates: false
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.endpoint_event.create_time
+ - carbon_black_cloud.endpoint_event.device_id
+ - carbon_black_cloud.endpoint_event.process_hash
+ - carbon_black_cloud.endpoint_event.parent_hash
+ - carbon_black_cloud.endpoint_event.crossproc_hash
+ - carbon_black_cloud.endpoint_event.filemod_hash
+ - carbon_black_cloud.endpoint_event.childproc_hash
+ - carbon_black_cloud.endpoint_event.modload_hash
+ - carbon_black_cloud.endpoint_event.scriptload_hash
+ - carbon_black_cloud.endpoint_event.netconn_inbound
+ - carbon_black_cloud.endpoint_event.netconn_protocol
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - script:
+ description: Remove duplicate values
+ lang: painless
+ source: |
+ if (ctx?.related?.user != null) {
+ ctx.related.user = new HashSet(ctx.related.user)
+ }
+ if (ctx?.related?.hash != null) {
+ ctx.related.hash = new HashSet(ctx.related.hash)
+ }
+ if (ctx?.related?.ip != null) {
+ ctx.related.ip = new HashSet(ctx.related.ip)
+ }
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/base-fields.yml
new file mode 100755
index 0000000000..9b3253d2db
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.endpoint_event
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/ecs.yml
new file mode 100755
index 0000000000..79da70b595
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/ecs.yml
@@ -0,0 +1,183 @@
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: MD5 hash.
+ name: dll.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: dll.hash.sha256
+ type: keyword
+- description: Full file path of the library.
+ name: dll.path
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: MD5 hash.
+ name: file.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: OS family (such as redhat, debian, freebsd, windows).
+ name: host.os.family
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.hash.sha256
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.parent.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.parent.hash.sha256
+ type: keyword
+- description: Process id.
+ name: process.parent.pid
+ type: long
+- description: Process id.
+ name: process.pid
+ type: long
+- description: Full path, including hive, key and value
+ name: registry.path
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/fields.yml
new file mode 100755
index 0000000000..199988ffb6
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/fields/fields.yml
@@ -0,0 +1,239 @@
+- name: carbon_black_cloud.endpoint_event
+ type: group
+ fields:
+ - name: alert_id
+ type: keyword
+ description: The ID of the Alert this event is associated with.
+ - name: backend
+ type: group
+ fields:
+ - name: timestamp
+ type: keyword
+ description: Time when the backend received the batch of events.
+ - name: childproc
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: Unique ID of the child process.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the executable file backing the child process.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the executable file backing the child process.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: pid
+ type: long
+ description: OS-reported Process ID of the child process.
+ - name: publisher
+ type: group
+ description: Signature entry for the childproc as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the childproc.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that the child process was started under.
+ - name: crossproc
+ type: group
+ fields:
+ - name: action
+ type: keyword
+ description: The action taken on cross-process.
+ - name: api
+ type: keyword
+ description: Name of the operating system API called by the actor process.
+ - name: guid
+ type: keyword
+ description: Unique ID of the cross process.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the target of the crossproc event.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the target of the crossproc event.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: publisher
+ type: group
+ description: Signature entry for the crossproc as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the crossproc.
+ - name: target
+ type: boolean
+ description: True if the process was the target of the cross-process event; false if the process was the actor.
+ - name: device
+ type: group
+ fields:
+ - name: os
+ type: keyword
+ description: Os name.
+ - name: timestamp
+ type: keyword
+ description: Time seen on sensor.
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: event_origin
+ type: keyword
+ description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard.
+ - name: fileless_scriptload
+ type: group
+ fields:
+ - name: cmdline
+ type: keyword
+ description: Deobfuscated script content run in a fileless context by the process.
+ - name: cmdline_length
+ type: keyword
+ description: Character count of the deobfuscated script content run in a fileless context.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: MD5 hash of the deobfuscated script content run by the process in a fileless context.
+ - name: sha256
+ type: keyword
+ description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context.
+ - name: modload
+ type: group
+ fields:
+ - name: count
+ type: long
+ description: Count of modload events reported by the sensor since last initialization.
+ - name: effective_reputation
+ type: keyword
+ description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred.
+ - name: publisher
+ type: group
+ description: Signature entry for the moduleload as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: netconn
+ type: group
+ fields:
+ - name: proxy
+ type: group
+ fields:
+ - name: domain
+ type: keyword
+ description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address.
+ - name: ip
+ type: keyword
+ description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection.
+ - name: port
+ type: keyword
+ description: UDP/TCP port number associated with the "proxy" end of this network connection.
+ - name: organization_key
+ type: keyword
+ description: The organization key associated with the console instance.
+ - name: process
+ type: group
+ fields:
+ - name: duration
+ type: long
+ description: The time difference in seconds between the process start and process terminate event.
+ - name: parent
+ type: group
+ fields:
+ - name: reputation
+ type: keyword
+ description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: publisher
+ type: group
+ description: Signature entry for the process as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: terminated
+ type: boolean
+ description: True if process was terminated elase false.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: schema
+ type: long
+ description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way.
+ - name: scriptload
+ type: group
+ fields:
+ - name: count
+ type: long
+ description: Count of scriptload events across all processes reported by the sensor since last initialization.
+ - name: effective_reputation
+ type: keyword
+ description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the target of the scriptload event.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the target of the scriptload event.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: publisher
+ type: group
+ description: Signature entry for the scriptload as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the scriptload.
+ - name: sensor_action
+ type: keyword
+ description: The sensor action taken on event.
+ - name: target_cmdline
+ type: keyword
+ description: Process command line associated with the target process.
+ - name: type
+ type: keyword
+ description: The event type.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/manifest.yml
new file mode 100755
index 0000000000..0f52e82022
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/manifest.yml
@@ -0,0 +1,48 @@
+title: Endpoint Event
+type: logs
+streams:
+ - input: aws-s3
+ title: Collect endpoint events from Carbon Black Cloud
+ description: Collect endpoint events from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch endpoint events from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-endpoint-event
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/sample_event.json
new file mode 100755
index 0000000000..958377158a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/endpoint_event/sample_event.json
@@ -0,0 +1,96 @@
+{
+ "process": {
+ "parent": {
+ "pid": 1684,
+ "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+ "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+ "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+ "hash": {
+ "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+ "md5": "03dd698da2671383c9b4f868c9931879"
+ }
+ },
+ "pid": 4880,
+ "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+ "command_line": "\"route.exe\" print",
+ "executable": "c:\\windows\\system32\\route.exe",
+ "hash": {
+ "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+ "md5": "2498272dc48446891182747428d02a30"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "endpoint_event": {
+ "schema": 1,
+ "event_origin": "EDR",
+ "process": {
+ "duration": 2,
+ "parent": {
+ "reputation": "REP_RESOLVING"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_RESOLVING",
+ "terminated": true,
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "XXXXXXXX",
+ "backend": {
+ "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+ },
+ "target_cmdline": "\"route.exe\" print",
+ "type": "endpoint.event.procend",
+ "device": {
+ "os": "WINDOWS",
+ "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+ "external_ip": "67.43.156.12"
+ },
+ "sensor_action": "ACTION_ALLOW"
+ }
+ },
+ "host": {
+ "hostname": "client-cb2",
+ "id": "4034605",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "67.43.156.13"
+ ]
+ },
+ "event": {
+ "action": "ACTION_PROCESS_TERMINATE",
+ "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.endpoint_event",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "elastic_agent": {
+ "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+ "snapshot": true,
+ "version": "8.0.0"
+ },
+ "input": {
+ "type": "aws-s3"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-endpoint-event"
+ ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..34cfd2b869
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,281 @@
+---
+description: Pipeline for parsing Carbon Black Cloud watchlist hit.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - set:
+ field: event.kind
+ value: event
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - rename:
+ field: json.severity
+ target_field: event.severity
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - rename:
+ field: json.device_os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.process_cmdline
+ target_field: process.command_line
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_pid
+ target_field: process.pid
+ ignore_missing: true
+ - rename:
+ field: json.parent_cmdline
+ target_field: process.parent.command_line
+ ignore_missing: true
+ - rename:
+ field: json.parent_guid
+ target_field: process.parent.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.parent_path
+ target_field: process.parent.executable
+ ignore_missing: true
+ - rename:
+ field: json.parent_pid
+ target_field: process.parent.pid
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value:
+ - "{{{json.parent_username}}}"
+ - "{{{json.process_username}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+ - script:
+ description: Dynamically map MD5 and SHA256 hash
+ lang: painless
+ source: |
+ void mapHashField(def ctx, def hashes, def key) {
+ for (hash in hashes) {
+ if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+ if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+ }
+ }
+ if (ctx.json?.process_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+ }
+ if (ctx.json?.parent_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+ }
+ - rename:
+ field: json.process_hash_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.process_hash_sha256
+ target_field: process.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_sha256
+ target_field: process.parent.hash.sha256
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value:
+ - "{{{process.hash.md5}}}"
+ - "{{{process.hash.sha256}}}"
+ - "{{{process.parent.hash.md5}}}"
+ - "{{{process.parent.hash.sha256}}}"
+ allow_duplicates: false
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.watchlist_hit.device.os
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.watchlist_hit.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.watchlist_hit.device.external_ip
+ ignore_missing: true
+ - rename:
+ field: json.ioc_hit
+ target_field: carbon_black_cloud.watchlist_hit.ioc.hit
+ ignore_missing: true
+ - rename:
+ field: json.ioc_id
+ target_field: carbon_black_cloud.watchlist_hit.ioc.id
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.watchlist_hit.organization_key
+ ignore_missing: true
+ - foreach:
+ field: json.parent_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.parent_publisher
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher
+ ignore_missing: true
+ - rename:
+ field: json.parent_reputation
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation
+ ignore_missing: true
+ - rename:
+ field: json.parent_username
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.username
+ ignore_missing: true
+ - foreach:
+ field: json.process_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.process_publisher
+ target_field: carbon_black_cloud.watchlist_hit.process.publisher
+ ignore_missing: true
+ - rename:
+ field: json.process_reputation
+ target_field: carbon_black_cloud.watchlist_hit.process.reputation
+ ignore_missing: true
+ - rename:
+ field: json.process_username
+ target_field: carbon_black_cloud.watchlist_hit.process.username
+ ignore_missing: true
+ - rename:
+ field: json.report_id
+ target_field: carbon_black_cloud.watchlist_hit.report.id
+ ignore_missing: true
+ - rename:
+ field: json.report_name
+ target_field: carbon_black_cloud.watchlist_hit.report.name
+ ignore_missing: true
+ - rename:
+ field: json.report_tags
+ target_field: carbon_black_cloud.watchlist_hit.report.tags
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.watchlist_hit.create_time
+ - carbon_black_cloud.watchlist_hit.device_id
+ - carbon_black_cloud.watchlist_hit.process_hash
+ - carbon_black_cloud.watchlist_hit.parent_hash
+ ignore_missing: true
+ - script:
+ description: Remove duplicate values
+ lang: painless
+ source: |
+ if (ctx?.related?.user != null) {
+ ctx.related.user = new HashSet(ctx.related.user)
+ }
+ if (ctx?.related?.hash != null) {
+ ctx.related.hash = new HashSet(ctx.related.hash)
+ }
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/base-fields.yml
new file mode 100755
index 0000000000..89df536282
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.watchlist_hit
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/ecs.yml
new file mode 100755
index 0000000000..ef721dde49
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/ecs.yml
@@ -0,0 +1,117 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.hash.sha256
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.parent.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.parent.hash.sha256
+ type: keyword
+- description: Process id.
+ name: process.parent.pid
+ type: long
+- description: Process id.
+ name: process.pid
+ type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/fields.yml
new file mode 100755
index 0000000000..25cb25005e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/fields/fields.yml
@@ -0,0 +1,89 @@
+- name: carbon_black_cloud.watchlist_hit
+ type: group
+ fields:
+ - name: device
+ type: group
+ fields:
+ - name: os
+ type: keyword
+ description: OS Type of device (Windows/OSX/Linux).
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: ioc
+ type: group
+ fields:
+ - name: field
+ type: keyword
+ description: Field the IOC hit contains.
+ - name: hit
+ type: keyword
+ description: IOC field value, or IOC query that matches.
+ - name: id
+ type: keyword
+ description: ID of the IOC that caused the hit.
+ - name: organization_key
+ type: keyword
+ description: The organization key associated with the console instance.
+ - name: process
+ type: group
+ fields:
+ - name: parent
+ type: group
+ fields:
+ - name: publisher
+ type: group
+ description: signature entry for the process as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: publisher
+ type: group
+ description: signature entry for the process as reported by the endpoint.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: report
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the watchlist report(s) that detected a hit on the process.
+ - name: name
+ type: keyword
+ description: Name of the watchlist report(s) that detected a hit on the process.
+ - name: tags
+ type: keyword
+ description: List of tags associated with the report(s) that detected a hit on the process.
+ - name: schema
+ type: long
+ description: Schema version.
+ - name: type
+ type: keyword
+ description: The watchlist hit type.
+ - name: watchlists
+ type: group
+ description: List of watchlists that contain the report of the ioc hit.
+ fields:
+ - name: id
+ type: keyword
+ description: The ID of the watchlists.
+ - name: name
+ type: keyword
+ description: The name of the watchlists.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/manifest.yml
new file mode 100755
index 0000000000..7782458210
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/manifest.yml
@@ -0,0 +1,48 @@
+title: Watchlist Hit
+type: logs
+streams:
+ - input: aws-s3
+ title: Collect watchlist hit from Carbon Black Cloud
+ description: Collect watchlist hit from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch watchlist hit from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-watchlist-hit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/sample_event.json
new file mode 100755
index 0000000000..0a5e6c32fb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/data_stream/watchlist_hit/sample_event.json
@@ -0,0 +1,130 @@
+{
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-watchlist-hit"
+ ],
+ "input": {
+ "type": "aws-s3"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ },
+ "agent": {
+ "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "process": {
+ "parent": {
+ "pid": 4076,
+ "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+ "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+ "executable": "c:\\windows\\syswow64\\cmd.exe",
+ "hash": {
+ "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+ "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+ }
+ },
+ "pid": 7516,
+ "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+ "command_line": "sc query aella_conf ",
+ "executable": "c:\\windows\\syswow64\\sc.exe",
+ "hash": {
+ "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+ "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+ }
+ },
+ "carbon_black_cloud": {
+ "watchlist_hit": {
+ "schema": 1,
+ "process": {
+ "parent": {
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "xxxxxxxx",
+ "report": {
+ "name": "Discovery - System Service Discovery Detected",
+ "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+ "tags": [
+ "attack",
+ "attackframework",
+ "threathunting",
+ "hunting",
+ "t1007",
+ "recon",
+ "discovery",
+ "windows"
+ ]
+ },
+ "watchlists": [
+ {
+ "name": "ATT\u0026CK Framework",
+ "id": "P5f9AW29TGmTOvBW156Cig"
+ }
+ ],
+ "type": "watchlist.hit",
+ "ioc": {
+ "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+ "id": "565571-0"
+ },
+ "device": {
+ "internal_ip": "10.10.156.12",
+ "external_ip": "67.43.156.12",
+ "os": "WINDOWS"
+ }
+ }
+ },
+ "host": {
+ "hostname": "Carbonblack-win1",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "10.10.156.12",
+ "67.43.156.12"
+ ],
+ "id": "4467271"
+ },
+ "event": {
+ "kind": "event",
+ "severity": 3,
+ "agent_id_status": "verified",
+ "ingested": "2022-02-17T07:23:31Z",
+ "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/docs/README.md b/packages/carbon_black_cloud/0.1.0/docs/README.md
new file mode 100755
index 0000000000..da9e5a67df
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/docs/README.md
@@ -0,0 +1,1037 @@
+# Carbon Black Cloud
+
+The Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket.
+
+## Compatibility
+
+This module has been tested against `Alerts API(v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`.
+
+## Requirements
+
+### In order to ingest data from the AWS S3 bucket you must:
+1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket.
+2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
+
+
+### In order to ingest data from the APIs you must generate API keys and API Secret Keys:
+1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**.
+2. Click Add API Key.
+3. Give the API key a unique name and description.
+ - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table.
+ **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level.
+ - Optional: Add authorized IP addresses.
+ - You can restrict the use of an API key to a specific set of IP addresses for security reasons.
+ **Note:** Authorized IP addresses are not available with Custom keys.
+4. To apply the changes, click Save.
+
+#### Access Levels & Permissions
+- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included.
+
+| Data stream | Access Level and Permissions |
+| --------------------------- | ------------------------------------------ |
+| Audit | API |
+| Alert | Custom orgs.alerts (Read) |
+| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) |
+
+
+## Note
+
+- The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
+
+## Logs
+
+### Audit
+
+This is the `audit` dataset.
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2022-02-10T16:04:30.263Z",
+ "agent": {
+ "ephemeral_id": "73949384-44ec-4f97-ad25-de968d945811",
+ "id": "926269e0-99fc-41d6-aee2-6eed3c276741",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "audit": {
+ "flagged": false,
+ "verbose": false
+ }
+ },
+ "client": {
+ "ip": "10.10.10.10",
+ "user": {
+ "id": "abc@demo.com"
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "926269e0-99fc-41d6-aee2-6eed3c276741",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-03-14T03:11:56.654Z",
+ "dataset": "carbon_black_cloud.audit",
+ "id": "2122f8ce8xxxxxxxxxxxxx",
+ "ingested": "2022-03-14T03:12:00Z",
+ "kind": "event",
+ "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+ "outcome": "success",
+ "reason": "Logged in successfully"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "organization": {
+ "name": "cb-xxxx-xxxx.com"
+ },
+ "related": {
+ "ip": [
+ "10.10.10.10"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-audit"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean |
+| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+
+
+### Alert
+
+This is the `alert` dataset.
+
+An example event for `alert` looks as following:
+
+```json
+{
+ "@timestamp": "2020-11-17T22:05:13.000Z",
+ "agent": {
+ "ephemeral_id": "3102b667-53be-4efc-b035-9d72bef2853f",
+ "hostname": "docker-fleet-agent",
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "alert": {
+ "category": "warning",
+ "device": {
+ "external_ip": "81.2.69.143",
+ "internal_ip": "81.2.69.144",
+ "location": "UNKNOWN",
+ "os": "WINDOWS"
+ },
+ "last_update_time": "2020-11-17T22:05:13Z",
+ "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+ "organization_key": "ABCD6X3T",
+ "policy": {
+ "applied": "APPLIED",
+ "id": 6997287,
+ "name": "Standard"
+ },
+ "product_id": "0x5406",
+ "product_name": "U3 Cruzer Micro",
+ "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+ "run_state": "DID_NOT_RUN",
+ "sensor_action": "DENY",
+ "serial_number": "0875920EF7C2A304",
+ "target_value": "MEDIUM",
+ "threat_cause": {
+ "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+ "threat_category": "NON_MALWARE",
+ "vector": "REMOVABLE_MEDIA"
+ },
+ "threat_id": "t5678",
+ "type": "DEVICE_CONTROL",
+ "vendor_id": "0x0781",
+ "vendor_name": "SanDisk",
+ "workflow": {
+ "changed_by": "Carbon Black",
+ "last_update_time": "2020-11-17T22:02:16Z",
+ "state": "OPEN"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.alert",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-05T10:25:54.372Z",
+ "dataset": "carbon_black_cloud.alert",
+ "end": "2020-11-17T22:02:16Z",
+ "id": "test1",
+ "ingested": "2022-04-05T10:25:57Z",
+ "kind": "alert",
+ "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+ "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+ "severity": 3,
+ "start": "2020-11-17T22:02:16Z",
+ "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+ },
+ "host": {
+ "hostname": "DESKTOP-002",
+ "id": "2",
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "os": {
+ "type": "windows",
+ "version": "Windows 10 x64"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-002"
+ ],
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "user": [
+ "test34@demo.com"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-alert"
+ ],
+ "user": {
+ "name": "test34@demo.com"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword |
+| carbon_black_cloud.alert.category | The category of the alert. | keyword |
+| carbon_black_cloud.alert.count | | long |
+| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword |
+| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.alert.device.location | The Location of device. | keyword |
+| carbon_black_cloud.alert.device.os | OS of the device. | keyword |
+| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword |
+| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword |
+| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword |
+| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword |
+| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword |
+| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date |
+| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword |
+| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword |
+| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean |
+| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword |
+| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword |
+| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long |
+| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword |
+| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword |
+| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword |
+| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword |
+| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword |
+| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword |
+| carbon_black_cloud.alert.status | status of alert. | keyword |
+| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword |
+| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword |
+| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword |
+| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword |
+| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword |
+| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword |
+| carbon_black_cloud.alert.type | Type of alert. | keyword |
+| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword |
+| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword |
+| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword |
+| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword |
+| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword |
+| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date |
+| carbon_black_cloud.alert.workflow.remediation | N/A | keyword |
+| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+### Endpoint Event
+
+This is the `endpoint_event` dataset.
+
+An example event for `endpoint_event` looks as following:
+
+```json
+{
+ "process": {
+ "parent": {
+ "pid": 1684,
+ "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+ "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+ "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+ "hash": {
+ "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+ "md5": "03dd698da2671383c9b4f868c9931879"
+ }
+ },
+ "pid": 4880,
+ "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+ "command_line": "\"route.exe\" print",
+ "executable": "c:\\windows\\system32\\route.exe",
+ "hash": {
+ "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+ "md5": "2498272dc48446891182747428d02a30"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "endpoint_event": {
+ "schema": 1,
+ "event_origin": "EDR",
+ "process": {
+ "duration": 2,
+ "parent": {
+ "reputation": "REP_RESOLVING"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_RESOLVING",
+ "terminated": true,
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "XXXXXXXX",
+ "backend": {
+ "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+ },
+ "target_cmdline": "\"route.exe\" print",
+ "type": "endpoint.event.procend",
+ "device": {
+ "os": "WINDOWS",
+ "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+ "external_ip": "67.43.156.12"
+ },
+ "sensor_action": "ACTION_ALLOW"
+ }
+ },
+ "host": {
+ "hostname": "client-cb2",
+ "id": "4034605",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "67.43.156.13"
+ ]
+ },
+ "event": {
+ "action": "ACTION_PROCESS_TERMINATE",
+ "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.endpoint_event",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "elastic_agent": {
+ "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+ "snapshot": true,
+ "version": "8.0.0"
+ },
+ "input": {
+ "type": "aws-s3"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-endpoint-event"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword |
+| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long |
+| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean |
+| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword |
+| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword |
+| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long |
+| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean |
+| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long |
+| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword |
+| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword |
+| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword |
+| carbon_black_cloud.endpoint_event.type | The event type. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dll.hash.md5 | MD5 hash. | keyword |
+| dll.hash.sha256 | SHA256 hash. | keyword |
+| dll.path | Full file path of the library. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| registry.path | Full path, including hive, key and value | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+### Watchlist Hit
+
+This is the `watchlist_hit` dataset.
+
+An example event for `watchlist_hit` looks as following:
+
+```json
+{
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-watchlist-hit"
+ ],
+ "input": {
+ "type": "aws-s3"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ },
+ "agent": {
+ "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "process": {
+ "parent": {
+ "pid": 4076,
+ "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+ "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+ "executable": "c:\\windows\\syswow64\\cmd.exe",
+ "hash": {
+ "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+ "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+ }
+ },
+ "pid": 7516,
+ "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+ "command_line": "sc query aella_conf ",
+ "executable": "c:\\windows\\syswow64\\sc.exe",
+ "hash": {
+ "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+ "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+ }
+ },
+ "carbon_black_cloud": {
+ "watchlist_hit": {
+ "schema": 1,
+ "process": {
+ "parent": {
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "xxxxxxxx",
+ "report": {
+ "name": "Discovery - System Service Discovery Detected",
+ "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+ "tags": [
+ "attack",
+ "attackframework",
+ "threathunting",
+ "hunting",
+ "t1007",
+ "recon",
+ "discovery",
+ "windows"
+ ]
+ },
+ "watchlists": [
+ {
+ "name": "ATT\u0026CK Framework",
+ "id": "P5f9AW29TGmTOvBW156Cig"
+ }
+ ],
+ "type": "watchlist.hit",
+ "ioc": {
+ "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+ "id": "565571-0"
+ },
+ "device": {
+ "internal_ip": "10.10.156.12",
+ "external_ip": "67.43.156.12",
+ "os": "WINDOWS"
+ }
+ }
+ },
+ "host": {
+ "hostname": "Carbonblack-win1",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "10.10.156.12",
+ "67.43.156.12"
+ ],
+ "id": "4467271"
+ },
+ "event": {
+ "kind": "event",
+ "severity": 3,
+ "agent_id_status": "verified",
+ "ingested": "2022-02-17T07:23:31Z",
+ "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword |
+| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.schema | Schema version. | long |
+| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset. | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+### Asset Vulnerability Summary
+
+This is the `asset_vulnerability_summary` dataset.
+
+An example event for `asset_vulnerability_summary` looks as following:
+
+```json
+{
+ "@timestamp": "2022-04-05T12:07:27.035Z",
+ "agent": {
+ "ephemeral_id": "90b0b6ec-10f9-41d4-94a5-b47c68f6b376",
+ "hostname": "docker-fleet-agent",
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "asset_vulnerability_summary": {
+ "last_sync": {
+ "timestamp": "2022-01-17T08:33:37.384Z"
+ },
+ "os_info": {
+ "os_arch": "64-bit"
+ },
+ "sync": {
+ "status": "COMPLETED",
+ "type": "SCHEDULED"
+ },
+ "type": "ENDPOINT",
+ "vuln_count": 1770
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "1465e432-24f3-456b-98ab-e79cdc8d86f6",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-05T12:07:27.035Z",
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "ingested": "2022-04-05T12:07:27Z",
+ "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+ },
+ "host": {
+ "hostname": "DESKTOP-008",
+ "id": "8",
+ "name": "DESKTOP-008KK",
+ "os": {
+ "name": "Microsoft Windows 10 Education",
+ "type": "windows",
+ "version": "10.0.17763"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-008"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-asset-vulnerability-summary"
+ ],
+ "vulnerability": {
+ "score": {
+ "base": 10
+ },
+ "severity": "CRITICAL"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date |
+| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
diff --git a/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-logo.svg
new file mode 100755
index 0000000000..180cc3d212
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-logo.svg
@@ -0,0 +1,91 @@
+
+
+
diff --git a/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-screenshot.png
new file mode 100755
index 0000000000..6fda3c108d
Binary files /dev/null and b/packages/carbon_black_cloud/0.1.0/img/carbon_black_cloud-screenshot.png differ
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..129cd1c62a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,42 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Audit Logs",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+ "name": "panel_3",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e3f216759c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,97 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Endpoint Event",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+ "name": "panel_13",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..4a9c10d677
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,147 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"a63e66da-6fdb-432e-8cd3-9beeceb7187e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":15,\"i\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"3b39bb5c-6d43-4bac-9551-dd3db3def5da\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"5e9e34e5-35be-4f6c-922a-fb15daf002ab\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"7cba8aeb-90ad-4db5-8050-6093f8b51f56\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"bb01cff3-1557-42ad-ad1a-0cca9f44b658\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"fdcee22b-9a7d-4b00-af40-ebe01d7e8b28\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"3d50fe5a-b808-407c-830e-1badfb14b4b4\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"e7610078-a6b5-47e0-9739-ee08f84a39c8\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"93081e97-c841-4eb2-bfa3-6d214cb10282\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"920d0841-19a5-4052-a5c6-4c2bcea8feee\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"2aab11a6-0445-43ae-b852-de68e72bc9f6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"64eae241-7f78-45c4-9ec8-f2c1195a5fa2\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"8f0964cf-d899-481f-b1e2-138d3e24f67f\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":1,\"width\":494}]}}},\"gridData\":{\"h\":15,\"i\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"5cf45870-ceae-4231-9fe7-1dc62ff55c16\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"01a42219-92ef-4f03-b8a3-3eb1f498c1f7\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"2afa241a-c05d-4c21-b993-d00d655e53f6\",\"panelRefName\":\"panel_15\",\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC Field\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"5ac185d0-99d0-473f-9cf5-4898053b1fa8\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"9248238a-0980-423a-a19c-44102fdc173c\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"48aa679f-815f-4196-bca9-b3d7784aef73\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"669a2361-cb74-4def-a571-4af3ab5082b9\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"83e71096-5c60-41e7-a258-ec2036fcf872\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"ab2c450c-e97f-41ba-bffe-3c0672b64320\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"3df6d550-3202-40b6-a2ad-0909b7e5dd6b\",\"panelRefName\":\"panel_22\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":1134}]}}},\"gridData\":{\"h\":15,\"i\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"bab343d8-bdda-4558-8353-f4530b69a3b9\",\"panelRefName\":\"panel_23\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":27,\"i\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"7a714638-9485-4da1-bc85-38df2ef49e99\",\"panelRefName\":\"panel_24\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"360b92d6-049c-42de-903f-f22ab75c0afc\",\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Alerts",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-af030950-8d73-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+ "name": "panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+ "name": "panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "panel_13",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "panel_14",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+ "name": "panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+ "name": "panel_16",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+ "name": "panel_17",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+ "name": "panel_18",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+ "name": "panel_19",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+ "name": "panel_20",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+ "name": "panel_21",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+ "name": "panel_22",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+ "name": "panel_23",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+ "name": "panel_24",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ee0df3955b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,67 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Asset Vulnerability Summary",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_7",
+ "type": "search"
+ },
+ {
+ "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_8",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..94761c84e1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Watchlist Hit",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "logs-*",
+ "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+ "name": "panel_11",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..fde5382f93
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "carbon_black_cloud.watchlist_hit.watchlists.name",
+ "process.command_line",
+ "process.parent.command_line",
+ "process.executable",
+ "process.parent.executable",
+ "carbon_black_cloud.watchlist_hit.ioc.id",
+ "carbon_black_cloud.watchlist_hit.ioc.hit"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Watchlist Hit Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fdc104f3b2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,36 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "client.user.id",
+ "event.reason",
+ "client.ip"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": true,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Audit Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..800a5cb006
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "carbon_black_cloud.endpoint_event.type",
+ "process.command_line",
+ "process.parent.command_line",
+ "dll.path",
+ "carbon_black_cloud.endpoint_event.target_cmdline",
+ "process.executable",
+ "process.parent.executable"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Endpoint Events Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1a37e59347
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,37 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "event.reason",
+ "event.url",
+ "carbon_black_cloud.alert.threat_indicators.process_name",
+ "carbon_black_cloud.alert.category"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": true,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Alerts Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..c060c3bd41
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,36 @@
+{
+ "attributes": {
+ "columns": [
+ "host.hostname",
+ "vulnerability.severity",
+ "vulnerability.score.base",
+ "carbon_black_cloud.asset_vulnerability_summary.vuln_count"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bf6bf9170c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..329118ed72
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fb78529067
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Client IPs",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..edfb4ab922
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e058315a1e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Actions",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..e9926e3521
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5c97a8d4eb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Severity",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..8bb3adabfb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7bec55f465
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..e4b7fe64f8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..6b1cb56ea0
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c59f3f2623
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a01e78828
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..682f389163
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..7af6d5ad55
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 IOC Hits",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c116157a2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Category",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3ced47d3fe
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..60cf2f819b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..411603d6cc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Type",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..811d8c6112
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..e390c83ecc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..bdd43d6d65
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..a8622511b3
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Architecture",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..02160d4bea
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 OS Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6c64141f00
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Highest Vulnerability Count",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..630d474e6e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..228daf684c
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..1bd12c5d2e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Severity",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a3d26dad2
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Report Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6e873422cb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Highest Risk Score",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..48a0ff614a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..b549ad14a1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Sync Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..116934a90e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ebce21d74d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Sync Status",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..8f11ac69cf
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Severity",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5d57824451
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 IOC Hit",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..dd5f86134d
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..60669ee962
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..19ad6bf381
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7992c14128
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Devices",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..ebcc102bf4
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Run State",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf3592d08f
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1025e00226
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c4ce665f33
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..7db345ec9b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..37864260d1
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..cf20544145
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..dd2d0ee97a
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Usernames",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bb4fb20b4b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3a76cb6cae
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..29d985b4d8
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..50933d86cc
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf02f82c2e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Policy Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bfebab9f24
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Reason Codes",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..85bf297c56
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..2ad0964cbb
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Request URLs",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..cb945df49b
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fc1c6812f0
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3c04444ca9
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device External IP",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..a79db35e93
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..d3f393c0d5
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..84fedf340e
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c30c4f320
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..4a17555983
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/0.1.0/manifest.yml b/packages/carbon_black_cloud/0.1.0/manifest.yml
new file mode 100755
index 0000000000..1aa7fd9804
--- /dev/null
+++ b/packages/carbon_black_cloud/0.1.0/manifest.yml
@@ -0,0 +1,136 @@
+format_version: 1.0.0
+name: carbon_black_cloud
+title: Carbon Black Cloud
+version: 0.1.0
+license: basic
+description: This Elastic integration collects logs from Carbon Black Cloud
+type: integration
+categories:
+ - security
+release: beta
+conditions:
+ kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+ - src: /img/carbon_black_cloud-screenshot.png
+ title: Carbon Black Cloud alert dashboard screenshot
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/carbon_black_cloud-logo.svg
+ title: Carbon Black Cloud logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: carbon_black_cloud
+ title: Carbon Black Cloud
+ description: Collect Logs from Carbon Black Cloud
+ inputs:
+ - type: httpjson
+ title: Collect Carbon Black Cloud logs via API
+ description: Collect Carbon Black Cloud logs via API
+ vars:
+ - name: hostname
+ type: text
+ title: Hostname
+ description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname).
+ required: true
+ - name: org_key
+ type: text
+ title: Organization Key
+ description: Organization Key.
+ required: true
+ - name: custom_api_id
+ type: text
+ title: Custom API ID
+ description: API ID with Custom Access Level type.
+ required: true
+ - name: custom_api_secret_key
+ type: password
+ title: Custom API Secret Key
+ description: API Secret Key with Custom Access Level type
+ required: true
+ - name: api_id
+ type: text
+ title: API ID
+ description: API ID with API Access Level type.
+ required: true
+ - name: api_secret_key
+ type: password
+ title: API Secret Key
+ description: API Secret Key with API Access Level type
+ required: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - type: aws-s3
+ title: Collect Carbon Black Cloud logs via AWS S3
+ description: Collect Carbon Black Cloud logs via AWS S3
+ vars:
+ - name: bucket_arn
+ type: text
+ title: Bucket ARN
+ multi: false
+ required: true
+ show_user: true
+ - name: access_key_id
+ type: password
+ title: Access Key ID
+ multi: false
+ required: true
+ show_user: true
+ - name: secret_access_key
+ type: password
+ title: Secret Access Key
+ multi: false
+ required: true
+ show_user: true
+ - name: number_of_workers
+ type: integer
+ title: Number of Workers
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/checkpoint/1.3.5/changelog.yml b/packages/checkpoint/1.3.5/changelog.yml
new file mode 100755
index 0000000000..241789fb63
--- /dev/null
+++ b/packages/checkpoint/1.3.5/changelog.yml
@@ -0,0 +1,106 @@
+# newer versions go on top
+- version: "1.3.5"
+ changes:
+ - description: Added link to check point documentation.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2926
+- version: "1.3.4"
+ changes:
+ - description: Change mapping type of checkpoint.source_object to keyword from integer.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2951
+- version: "1.3.3"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.3.2"
+ changes:
+ - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2895
+- version: "1.3.1"
+ changes:
+ - description: Add Ingest Pipeline script to map IANA Protocol Numbers
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2470
+- version: "1.3.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2387
+- version: "1.2.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2231
+- version: "1.1.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1951
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1803
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1653
+- version: "1.0.0"
+ changes:
+ - description: make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1605
+- version: "0.8.2"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1470
+- version: '0.8.1'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1376
+- version: "0.8.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.7.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1256
+- version: "0.6.0"
+ changes:
+ - description: update to ECS 1.10.0 and syncing module changes
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1033
+- version: "0.5.2"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/839
+- version: "0.5.1"
+ changes:
+ - description: Change kibana.version constraint to be more conservative.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/220
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..24ecbba6d7
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/log.yml.hbs
@@ -0,0 +1,38 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..9ccc9d6fc3
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/tcp.yml.hbs
@@ -0,0 +1,34 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..9ccc9d6fc3
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/agent/stream/udp.yml.hbs
@@ -0,0 +1,34 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/1.3.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f50e09ade7
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,795 @@
+---
+description: Pipeline for parsing checkpoint firewall logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
+ patterns:
+ - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-)
+ +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app})
+ +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid})
+ +\[%{GREEDYDATA:syslog5424_sd}\]$'
+ - kv:
+ field: syslog5424_sd
+ field_split: "; "
+ value_split: ":"
+ trim_key: " "
+ trim_value: " "
+ prefix: checkpoint.
+ strip_brackets: true
+ ignore_failure: true
+ exclude_keys:
+ - flags
+ - layer_uuid
+ - originsicname
+ - __policy_id_tag
+ - version
+ - rounded_bytes
+ - db_tag
+ - update_service
+ - remove:
+ field:
+ - syslog5424_sd
+ - syslog5424_app
+ - syslog5424_host
+ - syslog5424_msgid
+ - syslog5424_pri
+ - syslog5424_proc
+ - syslog5424_ver
+ - host
+ ignore_missing: true
+ - rename:
+ field: "@timestamp"
+ target_field: "event.created"
+ ignore_missing: true
+ - date:
+ field: "syslog5424_ts"
+ formats: ["ISO8601", "UNIX"]
+ if: "ctx.checkpoint?.time == null"
+ - append:
+ field: event.category
+ value: network
+ if: ctx.checkpoint?.operation != 'Log In'
+ - set:
+ field: observer.vendor
+ value: Checkpoint
+ - set:
+ field: observer.type
+ value: firewall
+ if: ctx.checkpoint?.type == null
+ - set:
+ field: observer.product
+ value: "{{checkpoint.product}}"
+ ignore_empty_value: true
+ - rename:
+ field: checkpoint.src
+ target_field: source.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_ip
+ target_field: source.ip
+ ignore_missing: true
+ if: ctx.source?.ip == null
+ - rename:
+ field: checkpoint.xlatesrc
+ target_field: source.nat.ip
+ if: "ctx.checkpoint?.xlatesrc != '0.0.0.0'"
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dst
+ target_field: destination.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.xlatedst
+ target_field: destination.nat.ip
+ if: "ctx.checkpoint?.xlatedst != '0.0.0.0'"
+ ignore_missing: true
+ - rename:
+ field: checkpoint.uid
+ target_field: source.user.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.administrator
+ target_field: source.user.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.source_user_name
+ target_field: source.user.name
+ if: ctx.source?.user?.name == null
+ ignore_missing: true
+ - convert:
+ field: checkpoint.client_outbound_packets
+ target_field: source.packets
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.server_outbound_packets
+ target_field: destination.packets
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.client_outbound_bytes
+ target_field: source.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.sent_byte
+ target_field: source.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: ctx.source?.bytes == null
+ - convert:
+ field: checkpoint.server_outbound_bytes
+ target_field: destination.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.received_bytes
+ target_field: destination.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: ctx.destination?.bytes == null
+ - convert:
+ field: checkpoint.service
+ target_field: destination.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.xlatedport
+ target_field: destination.nat.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: "ctx.checkpoint?.xlatedport != '0'"
+ - convert:
+ field: checkpoint.s_port
+ target_field: source.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.xlatesport
+ target_field: source.nat.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: "ctx.checkpoint?.xlatesport != '0'"
+ - rename:
+ field: checkpoint.mac_source_address
+ target_field: source.mac
+ ignore_missing: true
+ - rename:
+ field: checkpoint.from
+ target_field: source.user.email
+ ignore_missing: true
+ - rename:
+ field: checkpoint.src_machine_name
+ target_field: source.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.destination_dns_hostname
+ target_field: destination.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dst_machine_name
+ target_field: destination.domain
+ if: ctx.server?.domain == null
+ ignore_missing: true
+ - rename:
+ field: checkpoint.src_user_group
+ target_field: source.user.group.name
+ ignore_missing: true
+ - append:
+ field: event.category
+ value: authentication
+ if: ctx.checkpoint?.operation == 'Log In'
+ - set:
+ field: event.kind
+ value: alert
+ if: "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)"
+ - set:
+ field: event.kind
+ value: event
+ if: ctx.event?.kind == null
+ - set:
+ field: event.outcome
+ value: success
+ if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.type
+ value:
+ - allowed
+ - connection
+ if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.checkpoint?.audit_status == 'Success'
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx.checkpoint?.audit_status == 'Failure'
+ - set:
+ field: event.outcome
+ value: success
+ if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.type
+ value:
+ - connection
+ - denied
+ if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.category
+ value: malware
+ if: ctx.checkpoint?.malware_action != null
+ - append:
+ field: event.category
+ value: intrusion_detection
+ if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ if: ctx.source?.ip != null
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ if: ctx.source?.nat?.ip != null
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ if: ctx.destination?.ip != null
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ if: ctx.destination?.nat?.ip != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_md5}}"
+ if: ctx.checkpoint?.file_md5 != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_sha1}}"
+ if: ctx.checkpoint?.file_sha1 != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_sha256}}"
+ if: ctx.checkpoint?.file_sha256 != null
+ - rename:
+ field: checkpoint.to
+ target_field: destination.user.email
+ ignore_missing: true
+ - rename:
+ field: checkpoint.usercheck_incident_uid
+ target_field: destination.user.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.service_name
+ target_field: destination.service.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.mac_destination_address
+ target_field: destination.mac
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dns_type
+ target_field: dns.question.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.domain_name
+ target_field: dns.question.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dns_message_type
+ target_field: dns.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.tid
+ target_field: dns.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.loguid
+ target_field: event.id
+ ignore_missing: true
+ - convert:
+ field: checkpoint.sequencenum
+ target_field: event.sequence
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.severity
+ target_field: event.severity
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - rename:
+ field: checkpoint.action
+ target_field: event.action
+ ignore_missing: true
+ - rename:
+ field: checkpoint.packet_capture
+ target_field: event.url
+ ignore_missing: true
+ - rename:
+ field: checkpoint.start_time
+ target_field: event.start
+ ignore_missing: true
+ - rename:
+ field: checkpoint.first_detection
+ target_field: event.start
+ ignore_missing: true
+ if: ctx.event?.start == null
+ - rename:
+ field: checkpoint.last_detection
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_risk
+ target_field: event.risk_score
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_id
+ target_field: file.inode
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_type
+ target_field: file.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_name
+ target_field: file.name
+ ignore_missing: true
+ - convert:
+ field: checkpoint.file_size
+ target_field: file.size
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_md5
+ target_field: file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_sha1
+ target_field: file.hash.sha1
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_sha256
+ target_field: file.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dlp_file_name
+ target_field: file.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.user_group
+ target_field: group.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: checkpoint.os_name
+ target_field: host.os.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.method
+ target_field: http.request.method
+ ignore_missing: true
+ - rename:
+ field: checkpoint.referrer
+ target_field: http.request.referrer
+ ignore_missing: true
+ - rename:
+ field: checkpoint.service_id
+ target_field: network.application
+ ignore_missing: true
+ - rename:
+ field: checkpoint.ifdir
+ target_field: network.direction
+ ignore_missing: true
+ - rename:
+ field: checkpoint.bytes
+ target_field: network.bytes
+ ignore_missing: true
+ - rename:
+ field: checkpoint.proto
+ target_field: network.iana_number
+ ignore_missing: true
+ - script:
+ lang: painless
+ ignore_failure: true
+ if: ctx?.network?.iana_number != null
+ source: |
+ def iana_number = ctx.network.iana_number;
+ if (iana_number == '0') {
+ ctx.network.transport = 'hopopt';
+ } else if (iana_number == '1') {
+ ctx.network.transport = 'icmp';
+ } else if (iana_number == '2') {
+ ctx.network.transport = 'igmp';
+ } else if (iana_number == '6') {
+ ctx.network.transport = 'tcp';
+ } else if (iana_number == '8') {
+ ctx.network.transport = 'egp';
+ } else if (iana_number == '17') {
+ ctx.network.transport = 'udp';
+ } else if (iana_number == '47') {
+ ctx.network.transport = 'gre';
+ } else if (iana_number == '50') {
+ ctx.network.transport = 'esp';
+ } else if (iana_number == '58') {
+ ctx.network.transport = 'ipv6-icmp';
+ } else if (iana_number == '112') {
+ ctx.network.transport = 'vrrp';
+ } else if (iana_number == '132') {
+ ctx.network.transport = 'sctp';
+ }
+ - rename:
+ field: checkpoint.packets
+ target_field: network.packets
+ ignore_missing: true
+ - rename:
+ field: checkpoint.layer_name
+ target_field: network.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_name
+ target_field: network.application
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_inbound_interface
+ target_field: observer.ingress.interface.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_outbound_interface
+ target_field: observer.egress.interface.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.ifname
+ target_field: observer.ingress.interface.name
+ ignore_missing: true
+ if: ctx.network?.direction == 'inbound'
+ - rename:
+ field: checkpoint.ifname
+ target_field: observer.egress.interface.name
+ ignore_missing: true
+ if: ctx.network?.direction == 'outbound'
+ - rename:
+ field: checkpoint.type
+ target_field: observer.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.origin
+ target_field: observer.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.origin_ip
+ target_field: observer.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.endpoint_ip
+ target_field: observer.ip
+ ignore_missing: true
+ if: ctx.observer?.ip == null
+ - rename:
+ field: checkpoint.outzone
+ target_field: observer.egress.zone
+ ignore_missing: true
+ - rename:
+ field: checkpoint.inzone
+ target_field: observer.ingress.zone
+ ignore_missing: true
+ - rename:
+ field: checkpoint.security_outzone
+ target_field: observer.egress.zone
+ ignore_missing: true
+ if: ctx.observer?.egress?.zone == null
+ - rename:
+ field: checkpoint.security_inzone
+ target_field: observer.ingress.zone
+ ignore_missing: true
+ if: ctx.observer?.ingress?.zone == null
+ - rename:
+ field: checkpoint.update_version
+ target_field: observer.version
+ ignore_missing: true
+ - rename:
+ field: checkpoint.process_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.process_name
+ target_field: process.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.parent_process_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.parent_process_name
+ target_field: process.parent.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.matched_category
+ target_field: rule.category
+ ignore_missing: true
+ - rename:
+ field: checkpoint.categories
+ target_field: rule.category
+ ignore_missing: true
+ if: ctx.rule?.category == null
+ - rename:
+ field: checkpoint.malware_action
+ target_field: rule.description
+ ignore_missing: true
+ - rename:
+ field: checkpoint.malware_rule_id
+ target_field: rule.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_rule_id
+ target_field: rule.id
+ ignore_missing: true
+ if: ctx.rule?.id == null
+ - rename:
+ field: checkpoint.objectname
+ target_field: rule.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.malware_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.app_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.dlp_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.smartdefence_profile
+ target_field: rule.ruleset
+ ignore_missing: true
+ - rename:
+ field: checkpoint.policy
+ target_field: rule.ruleset
+ ignore_missing: true
+ if: ctx.rule?.ruleset == null
+ - rename:
+ field: checkpoint.rule_uid
+ target_field: rule.uuid
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dlp_rule_uid
+ target_field: rule.uuid
+ ignore_missing: true
+ if: ctx.rule?.uuid == null
+ - rename:
+ field: checkpoint.url
+ target_field: url.original
+ ignore_missing: true
+ - rename:
+ field: checkpoint.resource
+ target_field: url.original
+ ignore_missing: true
+ if: ctx.url?.original == null
+ - rename:
+ field: checkpoint.http_host
+ target_field: url.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.web_client_type
+ target_field: user_agent.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.user_agent
+ target_field: user_agent.original
+ ignore_missing: true
+ - rename:
+ field: checkpoint.industry_reference
+ target_field: vulnerability.id
+ ignore_missing: true
+ - date:
+ field: "checkpoint.time"
+ formats: ["ISO8601", "UNIX"]
+ if: "ctx.checkpoint?.time != null"
+ - rename:
+ field: checkpoint.message
+ target_field: message
+ ignore_missing: true
+ - rename:
+ field: checkpoint.reason
+ target_field: message
+ ignore_missing: true
+ if: ctx.message == null
+ - rename:
+ field: checkpoint.subject
+ target_field: message
+ ignore_missing: true
+ if: ctx.message == null
+ - gsub:
+ field: checkpoint.sys_message
+ pattern: ^:"
+ replacement: ""
+ if: ctx.checkpoint?.sys_message != null
+ - append:
+ field: related.user
+ value: "{{source.user.name}}"
+ if: ctx.source?.user?.name != null
+ - append:
+ field: related.user
+ value: "{{destination.user.name}}"
+ if: ctx.destination?.user?.name != null
+ - script:
+ lang: painless
+ source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
+ if: ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null
+ ignore_failure: true
+ - script:
+ lang: painless
+ source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets"
+ if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null
+ ignore_failure: true
+ - rename:
+ field: checkpoint.action_reason
+ target_field: checkpoint.action_reason_msg
+ if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ")
+ ignore_missing: true
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ if: ctx.source?.geo == null
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+ if: ctx.destination?.geo == null
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ # Handle zone-based network directionality
+ - set:
+ field: network.direction
+ value: inbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ - set:
+ field: network.direction
+ value: outbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: internal
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: external
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: unknown
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ (
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ ) ||
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ )
+ )
+ - remove:
+ field:
+ - checkpoint.client_outbound_packets
+ - checkpoint.server_outbound_packets
+ - checkpoint.client_outbound_bytes
+ - checkpoint.sent_byte
+ - checkpoint.server_outbound_bytes
+ - checkpoint.received_bytes
+ - checkpoint.service
+ - checkpoint.xlatedport
+ - checkpoint.s_port
+ - checkpoint.xlatesport
+ - checkpoint.sequencenum
+ - checkpoint.file_size
+ - checkpoint.product
+ - checkpoint.severity
+ - checkpoint.xlatesrc
+ - checkpoint.xlatedst
+ - checkpoint.uid
+ - checkpoint.time
+ - syslog5424_ts
+ - _temp_
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/fields/agent.yml b/packages/checkpoint/1.3.5/data_stream/firewall/fields/agent.yml
new file mode 100755
index 0000000000..79a7a39864
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/fields/agent.yml
@@ -0,0 +1,180 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on."
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime."
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes."
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine."
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use."
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment."
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/fields/base-fields.yml b/packages/checkpoint/1.3.5/data_stream/firewall/fields/base-fields.yml
new file mode 100755
index 0000000000..6bdf832a14
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: checkpoint
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: checkpoint.firewall
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/fields/beats.yml b/packages/checkpoint/1.3.5/data_stream/firewall/fields/beats.yml
new file mode 100755
index 0000000000..e272492dea
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/fields/beats.yml
@@ -0,0 +1,15 @@
+- description: Type of Filebeat input.
+ name: input.type
+ type: keyword
+- description: Flags for the log file.
+ name: log.flags
+ type: keyword
+- description: Offset of the entry in the log file.
+ name: log.offset
+ type: long
+- description: Name of the service data is collected from.
+ name: destination.service.name
+ type: keyword
+- description: Source address of logs received over the network.
+ name: log.source.address
+ type: keyword
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/1.3.5/data_stream/firewall/fields/ecs.yml
new file mode 100755
index 0000000000..2ab1a56523
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/fields/ecs.yml
@@ -0,0 +1,493 @@
+- description: Unique container id.
+ name: container.id
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: destination.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ MAC address of the destination.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: destination.mac
+ type: keyword
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Packets sent from the destination to the source.
+ name: destination.packets
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: User email address.
+ name: destination.user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: destination.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+ name: dns.id
+ type: keyword
+- description: |-
+ The name being queried.
+ If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+ name: dns.question.name
+ type: keyword
+- description: The type of record being queried.
+ name: dns.question.type
+ type: keyword
+- description: |-
+ The type of DNS event captured, query or answer.
+ If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+ If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+ name: dns.type
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+ name: event.risk_score
+ type: float
+- description: |-
+ Sequence number of the event.
+ The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+ name: event.sequence
+ type: long
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+ name: event.timezone
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ URL linking to an external system to continue investigation of this event.
+ This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+ name: event.url
+ type: keyword
+- description: MD5 hash.
+ name: file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Inode representing the file in the filesystem.
+ name: file.inode
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: file.type
+ type: keyword
+- description: Name of the group.
+ name: group.name
+ type: keyword
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: |-
+ HTTP request method.
+ The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+ name: http.request.method
+ type: keyword
+- description: Referrer for this HTTP request.
+ name: http.request.referrer
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+ For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+ The field value must be normalized to lowercase for querying.
+ name: network.application
+ type: keyword
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: Name given by operators to sections of their network.
+ name: network.name
+ type: keyword
+- description: |-
+ Total packets transferred in both directions.
+ If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+ name: network.packets
+ type: long
+- description: Interface name as reported by the system.
+ name: observer.egress.interface.name
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: |-
+ Custom name of the observer.
+ This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+ If no custom name is needed, the field can be left empty.
+ name: observer.name
+ type: keyword
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.name
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+ name: rule.category
+ type: keyword
+- description: The description of the rule generating the event.
+ name: rule.description
+ type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+ name: rule.id
+ type: keyword
+- description: The name of the rule or signature generating the event.
+ name: rule.name
+ type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+ name: rule.ruleset
+ type: keyword
+- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+ name: rule.uuid
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: source.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ MAC address of the source.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: source.mac
+ type: keyword
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Packets sent from the source to the destination.
+ name: source.packets
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: User email address.
+ name: source.user.email
+ type: keyword
+- description: Name of the group.
+ name: source.user.group.name
+ type: keyword
+- description: Unique identifier of the user.
+ name: source.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: url.domain
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Name of the user agent.
+ name: user_agent.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+ name: vulnerability.id
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/fields/fields.yml b/packages/checkpoint/1.3.5/data_stream/firewall/fields/fields.yml
new file mode 100755
index 0000000000..a389420a0c
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/fields/fields.yml
@@ -0,0 +1,1626 @@
+- name: checkpoint
+ type: group
+ release: beta
+ fields:
+ - name: action_reason
+ type: integer
+ description: |
+ Connection drop reason.
+ - name: action_reason_msg
+ type: keyword
+ overwrite: true
+ description: |
+ Connection drop reason message.
+ - name: additional_info
+ type: keyword
+ description: |
+ ID of original file/mail which are sent by admin.
+ - name: additional_ip
+ type: keyword
+ description: |
+ DNS host name.
+ - name: additional_rdata
+ type: keyword
+ description: |
+ List of additional resource records.
+ - name: alert
+ type: keyword
+ description: |
+ Alert level of matched rule (for connection logs).
+ - name: allocated_ports
+ type: integer
+ description: |
+ Amount of allocated ports.
+ - name: analyzed_on
+ type: keyword
+ description: |
+ Check Point ThreatCloud / emulator name.
+ - name: answer_rdata
+ type: keyword
+ description: |
+ List of answer resource records to the questioned domains.
+ - name: anti_virus_type
+ type: keyword
+ description: |
+ Anti virus type.
+ - name: app_desc
+ type: keyword
+ description: |
+ Application description.
+ - name: app_id
+ type: integer
+ description: |
+ Application ID.
+ - name: app_package
+ type: keyword
+ description: |
+ Unique identifier of the application on the protected mobile device.
+ - name: app_properties
+ type: keyword
+ description: |
+ List of all found categories.
+ - name: app_repackaged
+ type: keyword
+ description: |
+ Indicates whether the original application was repackage not by the official developer.
+ - name: app_sid_id
+ type: keyword
+ description: |
+ Unique SHA identifier of a mobile application.
+ - name: app_sig_id
+ type: keyword
+ description: |
+ IOC indicator description.
+ - name: app_version
+ type: keyword
+ description: |
+ Version of the application downloaded on the protected mobile device.
+ - name: appi_name
+ type: keyword
+ description: |
+ Name of application downloaded on the protected mobile device.
+ - name: arrival_time
+ type: keyword
+ description: |
+ Email arrival timestamp.
+ - name: attachments_num
+ type: integer
+ description: |
+ Number of attachments in the mail.
+ - name: attack_status
+ type: keyword
+ description: |
+ In case of a malicious event on an endpoint computer, the status of the attack.
+ - name: audit_status
+ type: keyword
+ description: |
+ Audit Status. Can be Success or Failure.
+ - name: auth_method
+ type: keyword
+ description: |
+ Password authentication protocol used (PAP or EAP).
+ - name: authority_rdata
+ type: keyword
+ description: |
+ List of authoritative servers.
+ - name: authorization
+ type: keyword
+ description: |
+ Authorization HTTP header value.
+ - name: bcc
+ type: keyword
+ description: |
+ List of BCC addresses.
+ - name: blade_name
+ type: keyword
+ description: |
+ Blade name.
+ - name: broker_publisher
+ type: ip
+ description: |
+ IP address of the broker publisher who shared the session information.
+ - name: browse_time
+ type: keyword
+ description: |
+ Application session browse time.
+ - name: c_bytes
+ type: integer
+ description: |
+ Boolean value indicates whether bytes sent from the client side are used.
+ - name: calc_desc
+ type: keyword
+ description: |
+ Log description.
+ - name: capacity
+ type: integer
+ description: |
+ Capacity of the ports.
+ - name: capture_uuid
+ type: keyword
+ description: |
+ UUID generated for the capture. Used when enabling the capture when logging.
+ - name: cc
+ type: keyword
+ description: |
+ The Carbon Copy address of the email.
+ - name: certificate_resource
+ type: keyword
+ description: |
+ HTTPS resource Possible values: SNI or domain name (DN).
+ - name: certificate_validation
+ type: keyword
+ description: |
+ Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
+ - name: cgnet
+ type: keyword
+ description: |
+ Describes NAT allocation for specific subscriber.
+ - name: chunk_type
+ type: keyword
+ description: |
+ Chunck of the sctp stream.
+ - name: client_name
+ type: keyword
+ description: |
+ Client Application or Software Blade that detected the event.
+ - name: client_type
+ type: keyword
+ description: |
+ Endpoint Connect.
+ - name: client_type_os
+ type: keyword
+ description: |
+ Client OS detected in the HTTP request.
+ - name: client_version
+ type: keyword
+ description: |
+ Build version of SandBlast Agent client installed on the computer.
+ - name: cluster_info
+ type: keyword
+ description: |
+ Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
+ - name: comment
+ type: keyword
+ - name: community
+ type: keyword
+ description: |
+ Community name for the IPSec key and the use of the IKEv.
+ - name: confidence_level
+ type: integer
+ description: |
+ Confidence level determined by ThreatCloud.
+ - name: conn_direction
+ type: keyword
+ description: Connection direction
+ - name: connection_uid
+ type: keyword
+ description: |
+ Calculation of md5 of the IP and user name as UID.
+ - name: connectivity_level
+ type: keyword
+ description: |
+ Log for a new connection in wire mode.
+ - name: conns_amount
+ type: integer
+ description: |
+ Connections amount of aggregated log info.
+ - name: content_disposition
+ type: keyword
+ description: |
+ Indicates how the content is expected to be displayed inline in the browser.
+ - name: content_length
+ type: keyword
+ description: |
+ Indicates the size of the entity-body of the HTTP header.
+ - name: content_risk
+ type: integer
+ description: |
+ File risk.
+ - name: content_type
+ type: keyword
+ description: |
+ Mail content type. Possible values: application/msword, text/html, image/gif etc.
+ - name: context_num
+ type: integer
+ description: |
+ Serial number of the log for a specific connection.
+ - name: cookieI
+ type: keyword
+ description: |
+ Initiator cookie.
+ - name: cookieR
+ type: keyword
+ description: |
+ Responder cookie.
+ - name: cp_message
+ type: integer
+ description: |
+ Used to log a general message.
+ - name: cvpn_category
+ type: keyword
+ description: |
+ Mobile Access application type.
+ - name: cvpn_resource
+ type: keyword
+ description: |
+ Mobile Access application.
+ - name: data_type_name
+ type: keyword
+ description: |
+ Data type in rulebase that was matched.
+ - name: db_ver
+ type: keyword
+ description: Database version
+ - name: dce-rpc_interface_uuid
+ type: keyword
+ description: |
+ Log for new RPC state - UUID values
+ - name: delivery_time
+ type: keyword
+ description: |
+ Timestamp of when email was delivered (MTA finished handling the email.
+ - name: desc
+ type: keyword
+ description: |
+ Override application description.
+ - name: description
+ type: keyword
+ description: |
+ Additional explanation how the security gateway enforced the connection.
+ - name: destination_object
+ type: keyword
+ description: |
+ Matched object name on destination column.
+ - name: detected_on
+ type: keyword
+ description: |
+ System and applications version the file was emulated on.
+ - name: developer_certificate_name
+ type: keyword
+ description: |
+ Name of the developer's certificate that was used to sign the mobile application.
+ - name: diameter_app_ID
+ type: integer
+ description: |
+ The ID of diameter application.
+ - name: diameter_cmd_code
+ type: integer
+ description: |
+ Diameter not allowed application command id.
+ - name: diameter_msg_type
+ type: keyword
+ description: |
+ Diameter message type.
+ - name: dlp_action_reason
+ type: keyword
+ description: |
+ Action chosen reason.
+ - name: dlp_additional_action
+ type: keyword
+ description: |
+ Watermark/None.
+ - name: dlp_categories
+ type: keyword
+ description: |
+ Data type category.
+ - name: dlp_data_type_name
+ type: keyword
+ description: |
+ Matched data type.
+ - name: dlp_data_type_uid
+ type: keyword
+ description: |
+ Unique ID of the matched data type.
+ - name: dlp_fingerprint_files_number
+ type: integer
+ description: |
+ Number of successfully scanned files in repository.
+ - name: dlp_fingerprint_long_status
+ type: keyword
+ description: |
+ Scan status - long format.
+ - name: dlp_fingerprint_short_status
+ type: keyword
+ description: |
+ Scan status - short format.
+ - name: dlp_incident_uid
+ type: keyword
+ description: |
+ Unique ID of the matched rule.
+ - name: dlp_recipients
+ type: keyword
+ description: |
+ Mail recipients.
+ - name: dlp_related_incident_uid
+ type: keyword
+ description: |
+ Other ID related to this one.
+ - name: dlp_relevant_data_types
+ type: keyword
+ description: |
+ In case of Compound/Group: the inner data types that were matched.
+ - name: dlp_repository_directories_number
+ type: integer
+ description: |
+ Number of directories in repository.
+ - name: dlp_repository_files_number
+ type: integer
+ description: |
+ Number of files in repository.
+ - name: dlp_repository_id
+ type: keyword
+ description: |
+ ID of scanned repository.
+ - name: dlp_repository_not_scanned_directories_percentage
+ type: integer
+ description: |
+ Percentage of directories the Security Gateway was unable to read.
+ - name: dlp_repository_reached_directories_number
+ type: integer
+ description: |
+ Number of scanned directories in repository.
+ - name: dlp_repository_root_path
+ type: keyword
+ description: |
+ Repository path.
+ - name: dlp_repository_scan_progress
+ type: integer
+ description: |
+ Scan percentage.
+ - name: dlp_repository_scanned_directories_number
+ type: integer
+ description: |
+ Amount of directories scanned.
+ - name: dlp_repository_scanned_files_number
+ type: integer
+ description: |
+ Number of scanned files in repository.
+ - name: dlp_repository_scanned_total_size
+ type: integer
+ description: |
+ Size scanned.
+ - name: dlp_repository_skipped_files_number
+ type: integer
+ description: |
+ Skipped number of files because of configuration.
+ - name: dlp_repository_total_size
+ type: integer
+ description: |
+ Repository size.
+ - name: dlp_repository_unreachable_directories_number
+ type: integer
+ description: |
+ Number of directories the Security Gateway was unable to read.
+ - name: dlp_rule_name
+ type: keyword
+ description: |
+ Matched rule name.
+ - name: dlp_subject
+ type: keyword
+ description: |
+ Mail subject.
+ - name: dlp_template_score
+ type: keyword
+ description: |
+ Template data type match score.
+ - name: dlp_transint
+ type: keyword
+ description: |
+ HTTP/SMTP/FTP.
+ - name: dlp_violation_description
+ type: keyword
+ description: |
+ Violation descriptions described in the rulebase.
+ - name: dlp_watermark_profile
+ type: keyword
+ description: |
+ Watermark which was applied.
+ - name: dlp_word_list
+ type: keyword
+ description: |
+ Phrases matched by data type.
+ - name: dns_query
+ type: keyword
+ description: |
+ DNS query.
+ - name: drop_reason
+ type: keyword
+ description: |
+ Drop reason description.
+ - name: dropped_file_hash
+ type: keyword
+ description: |
+ List of file hashes dropped from the original file.
+ - name: dropped_file_name
+ type: keyword
+ description: |
+ List of names dropped from the original file.
+ - name: dropped_file_type
+ type: keyword
+ description: |
+ List of file types dropped from the original file.
+ - name: dropped_file_verdict
+ type: keyword
+ description: |
+ List of file verdics dropped from the original file.
+ - name: dropped_incoming
+ type: integer
+ description: |
+ Number of incoming bytes dropped when using UP-limit feature.
+ - name: dropped_outgoing
+ type: integer
+ description: |
+ Number of outgoing bytes dropped when using UP-limit feature.
+ - name: dropped_total
+ type: integer
+ description: |
+ Amount of dropped packets (both incoming and outgoing).
+ - name: drops_amount
+ type: integer
+ description: |
+ Amount of multicast packets dropped.
+ - name: dst_country
+ type: keyword
+ description: |
+ Destination country.
+ - name: dst_phone_number
+ type: keyword
+ description: |
+ Destination IP-Phone.
+ - name: dst_user_name
+ type: keyword
+ description: |
+ Connected user name on the destination IP.
+ - name: dstkeyid
+ type: keyword
+ description: |
+ Responder Spi ID.
+ - name: duplicate
+ type: keyword
+ description: |
+ Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
+ - name: duration
+ type: keyword
+ description: "Scan duration. \n"
+ - name: elapsed
+ type: keyword
+ description: |
+ Time passed since start time.
+ - name: email_content
+ type: keyword
+ description: |
+ Mail contents. Possible options: attachments/links & attachments/links/text only.
+ - name: email_control
+ type: keyword
+ description: |
+ Engine name.
+ - name: email_control_analysis
+ type: keyword
+ description: |
+ Message classification, received from spam vendor engine.
+ - name: email_headers
+ type: keyword
+ description: |
+ String containing all the email headers.
+ - name: email_id
+ type: keyword
+ description: |
+ Email number in smtp connection.
+ - name: email_message_id
+ type: keyword
+ description: |
+ Email session id (uniqe ID of the mail).
+ - name: email_queue_id
+ type: keyword
+ description: |
+ Postfix email queue id.
+ - name: email_queue_name
+ type: keyword
+ description: |
+ Postfix email queue name.
+ - name: email_recipients_num
+ type: long
+ description: |
+ Amount of recipients whom the mail was sent to.
+ - name: email_session_id
+ type: keyword
+ description: |
+ Connection uuid.
+ - name: email_spam_category
+ type: keyword
+ description: |
+ Email categories. Possible values: spam/not spam/phishing.
+ - name: email_status
+ type: keyword
+ description: |
+ Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
+ - name: email_subject
+ type: keyword
+ description: |
+ Original email subject.
+ - name: emulated_on
+ type: keyword
+ description: |
+ Images the files were emulated on.
+ - name: encryption_failure
+ type: keyword
+ description: |
+ Message indicating why the encryption failed.
+ - name: end_time
+ type: keyword
+ description: |
+ TCP connection end time.
+ - name: end_user_firewall_type
+ type: keyword
+ description: |
+ End user firewall type.
+ - name: esod_access_status
+ type: keyword
+ description: |
+ Access denied.
+ - name: esod_associated_policies
+ type: keyword
+ description: |
+ Associated policies.
+ - name: esod_noncompliance_reason
+ type: keyword
+ description: |
+ Non-compliance reason.
+ - name: esod_rule_action
+ type: keyword
+ description: |
+ Unknown rule action.
+ - name: esod_rule_name
+ type: keyword
+ description: |
+ Unknown rule name.
+ - name: esod_rule_type
+ type: keyword
+ description: |
+ Unknown rule type.
+ - name: esod_scan_status
+ type: keyword
+ description: |
+ Scan failed.
+ - name: event_count
+ type: long
+ description: |
+ Number of events associated with the log.
+ - name: expire_time
+ type: keyword
+ description: |
+ Connection closing time.
+ - name: extension_version
+ type: keyword
+ description: |
+ Build version of the SandBlast Agent browser extension.
+ - name: extracted_file_hash
+ type: keyword
+ description: |
+ Archive hash in case of extracted files.
+ - name: extracted_file_names
+ type: keyword
+ description: |
+ Names of extracted files in case of an archive.
+ - name: extracted_file_type
+ type: keyword
+ description: |
+ Types of extracted files in case of an archive.
+ - name: extracted_file_uid
+ type: keyword
+ description: |
+ UID of extracted files in case of an archive.
+ - name: extracted_file_verdict
+ type: keyword
+ description: |
+ Verdict of extracted files in case of an archive.
+ - name: failure_impact
+ type: keyword
+ description: |
+ The impact of update service failure.
+ - name: failure_reason
+ type: keyword
+ description: |
+ MTA failure description.
+ - name: file_direction
+ type: keyword
+ description: |
+ File direction. Possible options: upload/download.
+ - name: file_name
+ type: keyword
+ description: |
+ Malicious file name.
+ - name: files_names
+ type: keyword
+ description: |
+ List of files requested by FTP.
+ - name: first_hit_time
+ type: integer
+ description: |
+ First hit time in current interval.
+ - name: fs-proto
+ type: keyword
+ description: |
+ The file share protocol used in mobile acess file share application.
+ - name: ftp_user
+ type: keyword
+ description: |
+ FTP username.
+ - name: fw_message
+ type: keyword
+ description: |
+ Used for various firewall errors.
+ - name: fw_subproduct
+ type: keyword
+ description: |
+ Can be vpn/non vpn.
+ - name: hide_ip
+ type: ip
+ description: |
+ Source IP which will be used after CGNAT.
+ - name: hit
+ type: integer
+ description: |
+ Number of hits on a rule.
+ - name: host_time
+ type: keyword
+ description: |
+ Local time on the endpoint computer.
+ - name: http_host
+ type: keyword
+ description: |
+ Domain name of the server that the HTTP request is sent to.
+ - name: http_location
+ type: keyword
+ description: |
+ Response header, indicates the URL to redirect a page to.
+ - name: http_server
+ type: keyword
+ description: |
+ Server HTTP header value, contains information about the software used by the origin server, which handles the request.
+ - name: https_inspection_action
+ type: keyword
+ description: |
+ HTTPS inspection action (Inspect/Bypass/Error).
+ - name: https_inspection_rule_id
+ type: keyword
+ description: |
+ ID of the matched rule.
+ - name: https_inspection_rule_name
+ type: keyword
+ description: |
+ Name of the matched rule.
+ - name: https_validation
+ type: keyword
+ description: |
+ Precise error, describing HTTPS inspection failure.
+ - name: icap_more_info
+ type: integer
+ description: |
+ Free text for verdict.
+ - name: icap_server_name
+ type: keyword
+ description: |
+ Server name.
+ - name: icap_server_service
+ type: keyword
+ description: |
+ Service name, as given in the ICAP URI
+ - name: icap_service_id
+ type: integer
+ description: |
+ Service ID, can work with multiple servers, treated as services.
+ - name: icmp
+ type: keyword
+ description: |
+ Number of packets, received by the client.
+ - name: icmp_code
+ type: long
+ description: |
+ In case a connection is ICMP, code info will be added to the log.
+ - name: icmp_type
+ type: long
+ description: |
+ In case a connection is ICMP, type info will be added to the log.
+ - name: id
+ type: integer
+ description: |
+ Override application ID.
+ - name: ike
+ type: keyword
+ description: |
+ IKEMode (PHASE1, PHASE2, etc..).
+ - name: ike_ids
+ type: keyword
+ description: |
+ All QM ids.
+ - name: impacted_files
+ type: keyword
+ description: |
+ In case of an infection on an endpoint computer, the list of files that the malware impacted.
+ - name: incident_extension
+ type: keyword
+ description: |
+ Matched data type.
+ - name: indicator_description
+ type: keyword
+ description: |
+ IOC indicator description.
+ - name: indicator_name
+ type: keyword
+ description: |
+ IOC indicator name.
+ - name: indicator_reference
+ type: keyword
+ description: |
+ IOC indicator reference.
+ - name: indicator_uuid
+ type: keyword
+ description: |
+ IOC indicator uuid.
+ - name: info
+ type: keyword
+ description: |
+ Special log message.
+ - name: information
+ type: keyword
+ description: |
+ Policy installation status for a specific blade.
+ - name: inspection_category
+ type: keyword
+ description: |
+ Inspection category: protocol anomaly, signature etc.
+ - name: inspection_item
+ type: keyword
+ description: |
+ Blade element performed inspection.
+ - name: inspection_profile
+ type: keyword
+ description: |
+ Profile which the activated protection belongs to.
+ - name: inspection_settings_log
+ type: keyword
+ description: |
+ Indicats that the log was released by inspection settings.
+ - name: installed_products
+ type: keyword
+ description: |
+ List of installed Endpoint Software Blades.
+ - name: int_end
+ type: integer
+ description: |
+ Subscriber end int which will be used for NAT.
+ - name: int_start
+ type: integer
+ description: |
+ Subscriber start int which will be used for NAT.
+ - name: interface_name
+ type: keyword
+ description: |
+ Designated interface for mirror And decrypt.
+ - name: internal_error
+ type: keyword
+ description: |
+ Internal error, for troubleshooting
+ - name: invalid_file_size
+ type: integer
+ description: |
+ File_size field is valid only if this field is set to 0.
+ - name: ip_option
+ type: integer
+ description: |
+ IP option that was dropped.
+ - name: isp_link
+ type: keyword
+ description: |
+ Name of ISP link.
+ - name: last_hit_time
+ type: integer
+ description: |
+ Last hit time in current interval.
+ - name: last_rematch_time
+ type: keyword
+ description: |
+ Connection rematched time.
+ - name: layer_name
+ type: keyword
+ description: |
+ Layer name.
+ - name: layer_uuid
+ type: keyword
+ description: |
+ Layer UUID.
+ - name: limit_applied
+ type: integer
+ description: |
+ Indicates whether the session was actually date limited.
+ - name: limit_requested
+ type: integer
+ description: |
+ Indicates whether data limit was requested for the session.
+ - name: link_probing_status_update
+ type: keyword
+ description: |
+ IP address response status.
+ - name: links_num
+ type: integer
+ description: |
+ Number of links in the mail.
+ - name: log_delay
+ type: integer
+ description: |
+ Time left before deleting template.
+ - name: log_id
+ type: integer
+ description: |
+ Unique identity for logs.
+ - name: logid
+ type: keyword
+ description: |
+ System messages
+ - name: long_desc
+ type: keyword
+ description: |
+ More information on the process (usually describing error reason in failure).
+ - name: machine
+ type: keyword
+ description: |
+ L2TP machine which triggered the log and the log refers to it.
+ - name: malware_family
+ type: keyword
+ description: |
+ Additional information on protection.
+ - name: match_fk
+ type: integer
+ description: |
+ Rule number.
+ - name: match_id
+ type: integer
+ description: |
+ Private key of the rule
+ - name: matched_file
+ type: keyword
+ description: |
+ Unique ID of the matched data type.
+ - name: matched_file_percentage
+ type: integer
+ description: |
+ Fingerprint: match percentage of the traffic.
+ - name: matched_file_text_segments
+ type: integer
+ description: |
+ Fingerprint: number of text segments matched by this traffic.
+ - name: media_type
+ type: keyword
+ description: |
+ Media used (audio, video, etc.)
+ - name: message
+ type: keyword
+ description: |
+ ISP link has failed.
+ - name: message_info
+ type: keyword
+ description: |
+ Used for information messages, for example:NAT connection has ended.
+ - name: message_size
+ type: integer
+ description: |
+ Mail/post size.
+ - name: method
+ type: keyword
+ description: |
+ HTTP method.
+ - name: methods
+ type: keyword
+ description: |
+ IPSEc methods.
+ - name: mime_from
+ type: keyword
+ description: |
+ Sender's address.
+ - name: mime_to
+ type: keyword
+ description: |
+ List of receiver address.
+ - name: mirror_and_decrypt_type
+ type: keyword
+ description: |
+ Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
+ - name: mitre_collection
+ type: keyword
+ description: |
+ The adversary is trying to collect data of interest to achieve his goal.
+ - name: mitre_command_and_control
+ type: keyword
+ description: |
+ The adversary is trying to communicate with compromised systems in order to control them.
+ - name: mitre_credential_access
+ type: keyword
+ description: |
+ The adversary is trying to steal account names and passwords.
+ - name: mitre_defense_evasion
+ type: keyword
+ description: |
+ The adversary is trying to avoid being detected.
+ - name: mitre_discovery
+ type: keyword
+ description: |
+ The adversary is trying to expose information about your environment.
+ - name: mitre_execution
+ type: keyword
+ description: |
+ The adversary is trying to run malicious code.
+ - name: mitre_exfiltration
+ type: keyword
+ description: |
+ The adversary is trying to steal data.
+ - name: mitre_impact
+ type: keyword
+ description: |
+ The adversary is trying to manipulate, interrupt, or destroy your systems and data.
+ - name: mitre_initial_access
+ type: keyword
+ description: |
+ The adversary is trying to break into your network.
+ - name: mitre_lateral_movement
+ type: keyword
+ description: |
+ The adversary is trying to explore your environment.
+ - name: mitre_persistence
+ type: keyword
+ description: |
+ The adversary is trying to maintain his foothold.
+ - name: mitre_privilege_escalation
+ type: keyword
+ description: |
+ The adversary is trying to gain higher-level permissions.
+ - name: monitor_reason
+ type: keyword
+ description: |
+ Aggregated logs of monitored packets.
+ - name: msgid
+ type: keyword
+ description: |
+ Message ID.
+ - name: name
+ type: keyword
+ description: |
+ Application name.
+ - name: nat46
+ type: keyword
+ description: |
+ NAT 46 status, in most cases "enabled".
+ - name: nat_addtnl_rulenum
+ type: integer
+ description: |
+ When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
+ - name: nat_exhausted_pool
+ type: keyword
+ description: |
+ 4-tuple of an exhausted pool.
+ - name: nat_rulenum
+ type: integer
+ description: |
+ NAT rulebase first matched rule.
+ - name: needs_browse_time
+ type: integer
+ description: |
+ Browse time required for the connection.
+ - name: next_hop_ip
+ type: keyword
+ description: |
+ Next hop IP address.
+ - name: next_scheduled_scan_date
+ type: keyword
+ description: |
+ Next scan scheduled time according to time object.
+ - name: number_of_errors
+ type: integer
+ description: |
+ Number of files that were not scanned due to an error.
+ - name: objecttable
+ type: keyword
+ description: |
+ Table of affected objects.
+ - name: objecttype
+ type: keyword
+ description: |
+ The type of the affected object.
+ - name: observable_comment
+ type: keyword
+ description: |
+ IOC observable signature description.
+ - name: observable_id
+ type: keyword
+ description: |
+ IOC observable signature id.
+ - name: observable_name
+ type: keyword
+ description: |
+ IOC observable signature name.
+ - name: operation
+ type: keyword
+ description: |
+ Operation made by Threat Extraction.
+ - name: operation_number
+ type: keyword
+ description: |
+ The operation nuber.
+ - name: origin_sic_name
+ type: keyword
+ description: |
+ Machine SIC.
+ - name: original_queue_id
+ type: keyword
+ description: |
+ Original postfix email queue id.
+ - name: outgoing_url
+ type: keyword
+ description: |
+ URL related to this log (for HTTP).
+ - name: packet_amount
+ type: integer
+ description: |
+ Amount of packets dropped.
+ - name: packet_capture_unique_id
+ type: keyword
+ description: |
+ Identifier of the packet capture files.
+ - name: parent_file_hash
+ type: keyword
+ description: |
+ Archive's hash in case of extracted files.
+ - name: parent_file_name
+ type: keyword
+ description: |
+ Archive's name in case of extracted files.
+ - name: parent_file_uid
+ type: keyword
+ description: |
+ Archive's UID in case of extracted files.
+ - name: parent_process_username
+ type: keyword
+ description: |
+ Owner username of the parent process of the process that triggered the attack.
+ - name: parent_rule
+ type: integer
+ description: |
+ Parent rule number, in case of inline layer.
+ - name: peer_gateway
+ type: ip
+ description: |
+ Main IP of the peer Security Gateway.
+ - name: peer_ip
+ type: keyword
+ description: |
+ IP address which the client connects to.
+ - name: peer_ip_probing_status_update
+ type: keyword
+ description: |
+ IP address response status.
+ - name: performance_impact
+ type: integer
+ description: |
+ Protection performance impact.
+ - name: policy_mgmt
+ type: keyword
+ description: |
+ Name of the Management Server that manages this Security Gateway.
+ - name: policy_name
+ type: keyword
+ description: |
+ Name of the last policy that this Security Gateway fetched.
+ - name: ports_usage
+ type: integer
+ description: |
+ Percentage of allocated ports.
+ - name: ppp
+ type: keyword
+ description: |
+ Authentication status.
+ - name: precise_error
+ type: keyword
+ description: |
+ HTTP parser error.
+ - name: process_username
+ type: keyword
+ description: |
+ Owner username of the process that triggered the attack.
+ - name: properties
+ type: keyword
+ description: |
+ Application categories.
+ - name: protection_id
+ type: keyword
+ description: |
+ Protection malware id.
+ - name: protection_name
+ type: keyword
+ description: |
+ Specific signature name of the attack.
+ - name: protection_type
+ type: keyword
+ description: |
+ Type of protection used to detect the attack.
+ - name: protocol
+ type: keyword
+ description: |
+ Protocol detected on the connection.
+ - name: proxy_machine_name
+ type: integer
+ description: |
+ Machine name connected to proxy IP.
+ - name: proxy_src_ip
+ type: ip
+ description: |
+ Sender source IP (even when using proxy).
+ - name: proxy_user_dn
+ type: keyword
+ description: |
+ User distinguished name connected to proxy IP.
+ - name: proxy_user_name
+ type: keyword
+ description: |
+ User name connected to proxy IP.
+ - name: query
+ type: keyword
+ description: |
+ DNS query.
+ - name: question_rdata
+ type: keyword
+ description: |
+ List of question records domains.
+ - name: referrer
+ type: keyword
+ description: |
+ Referrer HTTP request header, previous web page address.
+ - name: referrer_parent_uid
+ type: keyword
+ description: |
+ Log UUID of the referring application.
+ - name: referrer_self_uid
+ type: keyword
+ description: |
+ UUID of the current log.
+ - name: registered_ip-phones
+ type: keyword
+ description: |
+ Registered IP-Phones.
+ - name: reject_category
+ type: keyword
+ description: |
+ Authentication failure reason.
+ - name: reject_id
+ type: keyword
+ description: |
+ A reject ID that corresponds to the one presented in the Mobile Access error page.
+ - name: rematch_info
+ type: keyword
+ description: |
+ Information sent when old connections cannot be matched during policy installation.
+ - name: remediated_files
+ type: keyword
+ description: |
+ In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
+ - name: reply_status
+ type: integer
+ description: |
+ ICAP reply status code, e.g. 200 or 204.
+ - name: risk
+ type: keyword
+ description: |
+ Risk level we got from the engine.
+ - name: rpc_prog
+ type: integer
+ description: |
+ Log for new RPC state - prog values.
+ - name: rule
+ type: integer
+ description: |
+ Matched rule number.
+ - name: rule_action
+ type: keyword
+ description: |
+ Action of the matched rule in the access policy.
+ - name: rulebase_id
+ type: integer
+ description: |
+ Layer number.
+ - name: scan_direction
+ type: keyword
+ description: |
+ Scan direction.
+ - name: scan_hosts_day
+ type: integer
+ description: |
+ Number of unique hosts during the last day.
+ - name: scan_hosts_hour
+ type: integer
+ description: |
+ Number of unique hosts during the last hour.
+ - name: scan_hosts_week
+ type: integer
+ description: |
+ Number of unique hosts during the last week.
+ - name: scan_id
+ type: keyword
+ description: |
+ Sequential number of scan.
+ - name: scan_mail
+ type: integer
+ description: |
+ Number of emails that were scanned by "AB malicious activity" engine.
+ - name: scan_results
+ type: keyword
+ description: |
+ "Infected"/description of a failure.
+ - name: scheme
+ type: keyword
+ description: |
+ Describes the scheme used for the log.
+ - name: scope
+ type: keyword
+ description: |
+ IP related to the attack.
+ - name: scrub_activity
+ type: keyword
+ description: |
+ The result of the extraction
+ - name: scrub_download_time
+ type: keyword
+ description: |
+ File download time from resource.
+ - name: scrub_time
+ type: keyword
+ description: |
+ Extraction process duration.
+ - name: scrub_total_time
+ type: keyword
+ description: |
+ Threat extraction total file handling time.
+ - name: scrubbed_content
+ type: keyword
+ description: |
+ Active content that was found.
+ - name: sctp_association_state
+ type: keyword
+ description: |
+ The bad state you were trying to update to.
+ - name: sctp_error
+ type: keyword
+ description: |
+ Error information, what caused sctp to fail on out_of_state.
+ - name: scv_message_info
+ type: keyword
+ description: |
+ Drop reason.
+ - name: scv_user
+ type: keyword
+ description: |
+ Username whose packets are dropped on SCV.
+ - name: securexl_message
+ type: keyword
+ description: |
+ Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
+ - name: session_id
+ type: keyword
+ description: |
+ Log uuid.
+ - name: session_uid
+ type: keyword
+ description: |
+ HTTP session-id.
+ - name: short_desc
+ type: keyword
+ description: |
+ Short description of the process that was executed.
+ - name: sig_id
+ type: keyword
+ description: |
+ Application's signature ID which how it was detected by.
+ - name: similar_communication
+ type: keyword
+ description: |
+ Network action found similar to the malicious file.
+ - name: similar_hashes
+ type: keyword
+ description: |
+ Hashes found similar to the malicious file.
+ - name: similar_strings
+ type: keyword
+ description: |
+ Strings found similar to the malicious file.
+ - name: similiar_iocs
+ type: keyword
+ description: |
+ Other IoCs similar to the ones found, related to the malicious file.
+ - name: sip_reason
+ type: keyword
+ description: |
+ Explains why 'source_ip' isn't allowed to redirect (handover).
+ - name: site_name
+ type: keyword
+ description: |
+ Site name.
+ - name: source_interface
+ type: keyword
+ description: |
+ External Interface name for source interface or Null if not found.
+ - name: source_object
+ type: keyword
+ description: |
+ Matched object name on source column.
+ - name: source_os
+ type: keyword
+ description: |
+ OS which generated the attack.
+ - name: special_properties
+ type: integer
+ description: |
+ If this field is set to '1' the log will not be shown (in use for monitoring scan progress).
+ - name: specific_data_type_name
+ type: keyword
+ description: |
+ Compound/Group scenario, data type that was matched.
+ - name: speed
+ type: integer
+ description: |
+ Current scan speed.
+ - name: spyware_name
+ type: keyword
+ description: |
+ Spyware name.
+ - name: spyware_type
+ type: keyword
+ description: |
+ Spyware type.
+ - name: src_country
+ type: keyword
+ description: |
+ Country name, derived from connection source IP address.
+ - name: src_phone_number
+ type: keyword
+ description: |
+ Source IP-Phone.
+ - name: src_user_dn
+ type: keyword
+ description: |
+ User distinguished name connected to source IP.
+ - name: src_user_name
+ type: keyword
+ description: |
+ User name connected to source IP
+ - name: srckeyid
+ type: keyword
+ description: |
+ Initiator Spi ID.
+ - name: status
+ type: keyword
+ description: |
+ Ok/Warning/Error.
+ - name: status_update
+ type: keyword
+ description: |
+ Last time log was updated.
+ - name: sub_policy_name
+ type: keyword
+ description: |
+ Layer name.
+ - name: sub_policy_uid
+ type: keyword
+ description: |
+ Layer uid.
+ - name: subscriber
+ type: ip
+ description: |
+ Source IP before CGNAT.
+ - name: summary
+ type: keyword
+ description: |
+ Summary message of a non-compliant DNS traffic drops or detects.
+ - name: suppressed_logs
+ type: integer
+ description: |
+ Aggregated connections for five minutes on the same source, destination and port.
+ - name: sync
+ type: keyword
+ description: |
+ Sync status and the reason (stable, at risk).
+ - name: sys_message
+ type: keyword
+ description: |
+ System messages
+ - name: tcp_end_reason
+ type: keyword
+ description: |
+ Reason for TCP connection closure.
+ - name: tcp_flags
+ type: keyword
+ description: |
+ TCP packet flags (SYN, ACK, etc.,).
+ - name: tcp_packet_out_of_state
+ type: keyword
+ description: |
+ State violation.
+ - name: tcp_state
+ type: keyword
+ description: |
+ Log reinting a tcp state change.
+ - name: te_verdict_determined_by
+ type: keyword
+ description: |
+ Emulators determined file verdict.
+ - name: ticket_id
+ type: keyword
+ description: |
+ Unique ID per file.
+ - name: tls_server_host_name
+ type: keyword
+ description: |
+ SNI/CN from encrypted TLS connection used by URLF for categorization.
+ - name: top_archive_file_name
+ type: keyword
+ description: |
+ In case of archive file: the file that was sent/received.
+ - name: total_attachments
+ type: integer
+ description: |
+ The number of attachments in an email.
+ - name: triggered_by
+ type: keyword
+ description: |
+ The name of the mechanism that triggered the Software Blade to enforce a protection.
+ - name: trusted_domain
+ type: keyword
+ description: In case of phishing event, the domain, which the attacker was impersonating.
+ - name: unique_detected_day
+ type: integer
+ description: |
+ Detected virus for a specific host during the last day.
+ - name: unique_detected_hour
+ type: integer
+ description: |
+ Detected virus for a specific host during the last hour.
+ - name: unique_detected_week
+ type: integer
+ description: |
+ Detected virus for a specific host during the last week.
+ - name: update_status
+ type: keyword
+ description: Status of database update
+ - name: url
+ type: keyword
+ description: |
+ Translated URL.
+ - name: user
+ type: keyword
+ description: |
+ Source user name.
+ - name: user_agent
+ type: keyword
+ description: |
+ String identifying requesting software user agent.
+ - name: vendor_list
+ type: keyword
+ description: |
+ The vendor name that provided the verdict for a malicious URL.
+ - name: verdict
+ type: keyword
+ description: |
+ TE engine verdict Possible values: Malicious/Benign/Error.
+ - name: via
+ type: keyword
+ description: |
+ Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
+ - name: voip_attach_action_info
+ type: keyword
+ description: |
+ Attachment action Info.
+ - name: voip_attach_sz
+ type: integer
+ description: |
+ Attachment size.
+ - name: voip_call_dir
+ type: keyword
+ description: |
+ Call direction: in/out.
+ - name: voip_call_id
+ type: keyword
+ description: |
+ Call-ID.
+ - name: voip_call_state
+ type: keyword
+ description: |
+ Call state. Possible values: in/out.
+ - name: voip_call_term_time
+ type: keyword
+ description: |
+ Call termination time stamp.
+ - name: voip_config
+ type: keyword
+ description: |
+ Configuration.
+ - name: voip_duration
+ type: keyword
+ description: |
+ Call duration (seconds).
+ - name: voip_est_codec
+ type: keyword
+ description: |
+ Estimated codec.
+ - name: voip_exp
+ type: integer
+ description: |
+ Expiration.
+ - name: voip_from_user_type
+ type: keyword
+ description: |
+ Source IP-Phone type.
+ - name: voip_log_type
+ type: keyword
+ description: |
+ VoIP log types. Possible values: reject, call, registration.
+ - name: voip_media_codec
+ type: keyword
+ description: |
+ Estimated codec.
+ - name: voip_media_ipp
+ type: keyword
+ description: |
+ Media IP protocol.
+ - name: voip_media_port
+ type: keyword
+ description: |
+ Media int.
+ - name: voip_method
+ type: keyword
+ description: |
+ Registration request.
+ - name: voip_reason_info
+ type: keyword
+ description: |
+ Information.
+ - name: voip_reg_int
+ type: integer
+ description: |
+ Registration port.
+ - name: voip_reg_ipp
+ type: integer
+ description: |
+ Registration IP protocol.
+ - name: voip_reg_period
+ type: integer
+ description: |
+ Registration period.
+ - name: voip_reg_server
+ type: ip
+ description: |
+ Registrar server IP address.
+ - name: voip_reg_user_type
+ type: keyword
+ description: |
+ Registered IP-Phone type.
+ - name: voip_reject_reason
+ type: keyword
+ description: |
+ Reject reason.
+ - name: voip_to_user_type
+ type: keyword
+ description: |
+ Destination IP-Phone type.
+ - name: vpn_feature_name
+ type: keyword
+ description: |
+ L2TP /IKE / Link Selection.
+ - name: watermark
+ type: keyword
+ description: |
+ Reports whether watermark is added to the cleaned file.
+ - name: web_server_type
+ type: keyword
+ description: |
+ Web server detected in the HTTP response.
+ - name: word_list
+ type: keyword
+ description: |
+ Words matched by data type.
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/manifest.yml b/packages/checkpoint/1.3.5/data_stream/firewall/manifest.yml
new file mode 100755
index 0000000000..48cc36a98f
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/manifest.yml
@@ -0,0 +1,93 @@
+type: logs
+title: Check Point firewall logs
+streams:
+ - input: udp
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: udp.yml.hbs
+ title: Check Point firewall logs (syslog over UDP)
+ description: Collect Check Point firewall logs using udp input
+ - input: tcp
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: tcp.yml.hbs
+ title: Check Point firewall logs (syslog over TCP)
+ description: Collect Check Point firewall logs using tcp input
+ - input: logfile
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: log.yml.hbs
+ title: Check Point firewall logs (log)
+ description: Collect Check Point firewall logs using log input
diff --git a/packages/checkpoint/1.3.5/data_stream/firewall/sample_event.json b/packages/checkpoint/1.3.5/data_stream/firewall/sample_event.json
new file mode 100755
index 0000000000..bf273392bc
--- /dev/null
+++ b/packages/checkpoint/1.3.5/data_stream/firewall/sample_event.json
@@ -0,0 +1,64 @@
+{
+ "@timestamp": "2020-03-29T13:19:20.000Z",
+ "agent": {
+ "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "checkpoint": {
+ "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+ },
+ "data_stream": {
+ "dataset": "checkpoint.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "created": "2021-12-25T09:18:51.178Z",
+ "dataset": "checkpoint.firewall",
+ "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+ "ingested": "2021-12-25T09:18:52Z",
+ "kind": "event",
+ "sequence": 1,
+ "timezone": "+00:00"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.32.7:52492"
+ }
+ },
+ "network": {
+ "direction": "inbound"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "daemon"
+ }
+ },
+ "name": "192.168.1.100",
+ "product": "System Monitor",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "tags": [
+ "forwarded"
+ ]
+}
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.5/docs/README.md b/packages/checkpoint/1.3.5/docs/README.md
new file mode 100755
index 0000000000..883b9f0073
--- /dev/null
+++ b/packages/checkpoint/1.3.5/docs/README.md
@@ -0,0 +1,662 @@
+# Check Point Integration
+
+This integration is for [Check Point](https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.8%20) products. It includes the
+following datasets for receiving logs:
+
+- `firewall` dataset: consists of log entries from the [Log Exporter](
+ https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323)
+ in the Syslog format.
+
+## Compatibility
+
+This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
+
+## Logs
+
+### Firewall
+
+Consists of log entries from the Log Exporter in the Syslog format.
+
+An example event for `firewall` looks as following:
+
+```json
+{
+ "@timestamp": "2020-03-29T13:19:20.000Z",
+ "agent": {
+ "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "checkpoint": {
+ "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+ },
+ "data_stream": {
+ "dataset": "checkpoint.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "created": "2021-12-25T09:18:51.178Z",
+ "dataset": "checkpoint.firewall",
+ "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+ "ingested": "2021-12-25T09:18:52Z",
+ "kind": "event",
+ "sequence": 1,
+ "timezone": "+00:00"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.32.7:52492"
+ }
+ },
+ "network": {
+ "direction": "inbound"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "daemon"
+ }
+ },
+ "name": "192.168.1.100",
+ "product": "System Monitor",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "tags": [
+ "forwarded"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| checkpoint.action_reason | Connection drop reason. | integer |
+| checkpoint.action_reason_msg | Connection drop reason message. | keyword |
+| checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword |
+| checkpoint.additional_ip | DNS host name. | keyword |
+| checkpoint.additional_rdata | List of additional resource records. | keyword |
+| checkpoint.alert | Alert level of matched rule (for connection logs). | keyword |
+| checkpoint.allocated_ports | Amount of allocated ports. | integer |
+| checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword |
+| checkpoint.answer_rdata | List of answer resource records to the questioned domains. | keyword |
+| checkpoint.anti_virus_type | Anti virus type. | keyword |
+| checkpoint.app_desc | Application description. | keyword |
+| checkpoint.app_id | Application ID. | integer |
+| checkpoint.app_package | Unique identifier of the application on the protected mobile device. | keyword |
+| checkpoint.app_properties | List of all found categories. | keyword |
+| checkpoint.app_repackaged | Indicates whether the original application was repackage not by the official developer. | keyword |
+| checkpoint.app_sid_id | Unique SHA identifier of a mobile application. | keyword |
+| checkpoint.app_sig_id | IOC indicator description. | keyword |
+| checkpoint.app_version | Version of the application downloaded on the protected mobile device. | keyword |
+| checkpoint.appi_name | Name of application downloaded on the protected mobile device. | keyword |
+| checkpoint.arrival_time | Email arrival timestamp. | keyword |
+| checkpoint.attachments_num | Number of attachments in the mail. | integer |
+| checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword |
+| checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword |
+| checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword |
+| checkpoint.authority_rdata | List of authoritative servers. | keyword |
+| checkpoint.authorization | Authorization HTTP header value. | keyword |
+| checkpoint.bcc | List of BCC addresses. | keyword |
+| checkpoint.blade_name | Blade name. | keyword |
+| checkpoint.broker_publisher | IP address of the broker publisher who shared the session information. | ip |
+| checkpoint.browse_time | Application session browse time. | keyword |
+| checkpoint.c_bytes | Boolean value indicates whether bytes sent from the client side are used. | integer |
+| checkpoint.calc_desc | Log description. | keyword |
+| checkpoint.capacity | Capacity of the ports. | integer |
+| checkpoint.capture_uuid | UUID generated for the capture. Used when enabling the capture when logging. | keyword |
+| checkpoint.cc | The Carbon Copy address of the email. | keyword |
+| checkpoint.certificate_resource | HTTPS resource Possible values: SNI or domain name (DN). | keyword |
+| checkpoint.certificate_validation | Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. | keyword |
+| checkpoint.cgnet | Describes NAT allocation for specific subscriber. | keyword |
+| checkpoint.chunk_type | Chunck of the sctp stream. | keyword |
+| checkpoint.client_name | Client Application or Software Blade that detected the event. | keyword |
+| checkpoint.client_type | Endpoint Connect. | keyword |
+| checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword |
+| checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword |
+| checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword |
+| checkpoint.comment | | keyword |
+| checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword |
+| checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer |
+| checkpoint.conn_direction | Connection direction | keyword |
+| checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword |
+| checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword |
+| checkpoint.conns_amount | Connections amount of aggregated log info. | integer |
+| checkpoint.content_disposition | Indicates how the content is expected to be displayed inline in the browser. | keyword |
+| checkpoint.content_length | Indicates the size of the entity-body of the HTTP header. | keyword |
+| checkpoint.content_risk | File risk. | integer |
+| checkpoint.content_type | Mail content type. Possible values: application/msword, text/html, image/gif etc. | keyword |
+| checkpoint.context_num | Serial number of the log for a specific connection. | integer |
+| checkpoint.cookieI | Initiator cookie. | keyword |
+| checkpoint.cookieR | Responder cookie. | keyword |
+| checkpoint.cp_message | Used to log a general message. | integer |
+| checkpoint.cvpn_category | Mobile Access application type. | keyword |
+| checkpoint.cvpn_resource | Mobile Access application. | keyword |
+| checkpoint.data_type_name | Data type in rulebase that was matched. | keyword |
+| checkpoint.db_ver | Database version | keyword |
+| checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword |
+| checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword |
+| checkpoint.desc | Override application description. | keyword |
+| checkpoint.description | Additional explanation how the security gateway enforced the connection. | keyword |
+| checkpoint.destination_object | Matched object name on destination column. | keyword |
+| checkpoint.detected_on | System and applications version the file was emulated on. | keyword |
+| checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword |
+| checkpoint.diameter_app_ID | The ID of diameter application. | integer |
+| checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer |
+| checkpoint.diameter_msg_type | Diameter message type. | keyword |
+| checkpoint.dlp_action_reason | Action chosen reason. | keyword |
+| checkpoint.dlp_additional_action | Watermark/None. | keyword |
+| checkpoint.dlp_categories | Data type category. | keyword |
+| checkpoint.dlp_data_type_name | Matched data type. | keyword |
+| checkpoint.dlp_data_type_uid | Unique ID of the matched data type. | keyword |
+| checkpoint.dlp_fingerprint_files_number | Number of successfully scanned files in repository. | integer |
+| checkpoint.dlp_fingerprint_long_status | Scan status - long format. | keyword |
+| checkpoint.dlp_fingerprint_short_status | Scan status - short format. | keyword |
+| checkpoint.dlp_incident_uid | Unique ID of the matched rule. | keyword |
+| checkpoint.dlp_recipients | Mail recipients. | keyword |
+| checkpoint.dlp_related_incident_uid | Other ID related to this one. | keyword |
+| checkpoint.dlp_relevant_data_types | In case of Compound/Group: the inner data types that were matched. | keyword |
+| checkpoint.dlp_repository_directories_number | Number of directories in repository. | integer |
+| checkpoint.dlp_repository_files_number | Number of files in repository. | integer |
+| checkpoint.dlp_repository_id | ID of scanned repository. | keyword |
+| checkpoint.dlp_repository_not_scanned_directories_percentage | Percentage of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_repository_reached_directories_number | Number of scanned directories in repository. | integer |
+| checkpoint.dlp_repository_root_path | Repository path. | keyword |
+| checkpoint.dlp_repository_scan_progress | Scan percentage. | integer |
+| checkpoint.dlp_repository_scanned_directories_number | Amount of directories scanned. | integer |
+| checkpoint.dlp_repository_scanned_files_number | Number of scanned files in repository. | integer |
+| checkpoint.dlp_repository_scanned_total_size | Size scanned. | integer |
+| checkpoint.dlp_repository_skipped_files_number | Skipped number of files because of configuration. | integer |
+| checkpoint.dlp_repository_total_size | Repository size. | integer |
+| checkpoint.dlp_repository_unreachable_directories_number | Number of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_rule_name | Matched rule name. | keyword |
+| checkpoint.dlp_subject | Mail subject. | keyword |
+| checkpoint.dlp_template_score | Template data type match score. | keyword |
+| checkpoint.dlp_transint | HTTP/SMTP/FTP. | keyword |
+| checkpoint.dlp_violation_description | Violation descriptions described in the rulebase. | keyword |
+| checkpoint.dlp_watermark_profile | Watermark which was applied. | keyword |
+| checkpoint.dlp_word_list | Phrases matched by data type. | keyword |
+| checkpoint.dns_query | DNS query. | keyword |
+| checkpoint.drop_reason | Drop reason description. | keyword |
+| checkpoint.dropped_file_hash | List of file hashes dropped from the original file. | keyword |
+| checkpoint.dropped_file_name | List of names dropped from the original file. | keyword |
+| checkpoint.dropped_file_type | List of file types dropped from the original file. | keyword |
+| checkpoint.dropped_file_verdict | List of file verdics dropped from the original file. | keyword |
+| checkpoint.dropped_incoming | Number of incoming bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_outgoing | Number of outgoing bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_total | Amount of dropped packets (both incoming and outgoing). | integer |
+| checkpoint.drops_amount | Amount of multicast packets dropped. | integer |
+| checkpoint.dst_country | Destination country. | keyword |
+| checkpoint.dst_phone_number | Destination IP-Phone. | keyword |
+| checkpoint.dst_user_name | Connected user name on the destination IP. | keyword |
+| checkpoint.dstkeyid | Responder Spi ID. | keyword |
+| checkpoint.duplicate | Log marked as duplicated, when mail is split and the Security Gateway sees it twice. | keyword |
+| checkpoint.duration | Scan duration. | keyword |
+| checkpoint.elapsed | Time passed since start time. | keyword |
+| checkpoint.email_content | Mail contents. Possible options: attachments/links & attachments/links/text only. | keyword |
+| checkpoint.email_control | Engine name. | keyword |
+| checkpoint.email_control_analysis | Message classification, received from spam vendor engine. | keyword |
+| checkpoint.email_headers | String containing all the email headers. | keyword |
+| checkpoint.email_id | Email number in smtp connection. | keyword |
+| checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword |
+| checkpoint.email_queue_id | Postfix email queue id. | keyword |
+| checkpoint.email_queue_name | Postfix email queue name. | keyword |
+| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long |
+| checkpoint.email_session_id | Connection uuid. | keyword |
+| checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword |
+| checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword |
+| checkpoint.email_subject | Original email subject. | keyword |
+| checkpoint.emulated_on | Images the files were emulated on. | keyword |
+| checkpoint.encryption_failure | Message indicating why the encryption failed. | keyword |
+| checkpoint.end_time | TCP connection end time. | keyword |
+| checkpoint.end_user_firewall_type | End user firewall type. | keyword |
+| checkpoint.esod_access_status | Access denied. | keyword |
+| checkpoint.esod_associated_policies | Associated policies. | keyword |
+| checkpoint.esod_noncompliance_reason | Non-compliance reason. | keyword |
+| checkpoint.esod_rule_action | Unknown rule action. | keyword |
+| checkpoint.esod_rule_name | Unknown rule name. | keyword |
+| checkpoint.esod_rule_type | Unknown rule type. | keyword |
+| checkpoint.esod_scan_status | Scan failed. | keyword |
+| checkpoint.event_count | Number of events associated with the log. | long |
+| checkpoint.expire_time | Connection closing time. | keyword |
+| checkpoint.extension_version | Build version of the SandBlast Agent browser extension. | keyword |
+| checkpoint.extracted_file_hash | Archive hash in case of extracted files. | keyword |
+| checkpoint.extracted_file_names | Names of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_type | Types of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_uid | UID of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_verdict | Verdict of extracted files in case of an archive. | keyword |
+| checkpoint.failure_impact | The impact of update service failure. | keyword |
+| checkpoint.failure_reason | MTA failure description. | keyword |
+| checkpoint.file_direction | File direction. Possible options: upload/download. | keyword |
+| checkpoint.file_name | Malicious file name. | keyword |
+| checkpoint.files_names | List of files requested by FTP. | keyword |
+| checkpoint.first_hit_time | First hit time in current interval. | integer |
+| checkpoint.fs-proto | The file share protocol used in mobile acess file share application. | keyword |
+| checkpoint.ftp_user | FTP username. | keyword |
+| checkpoint.fw_message | Used for various firewall errors. | keyword |
+| checkpoint.fw_subproduct | Can be vpn/non vpn. | keyword |
+| checkpoint.hide_ip | Source IP which will be used after CGNAT. | ip |
+| checkpoint.hit | Number of hits on a rule. | integer |
+| checkpoint.host_time | Local time on the endpoint computer. | keyword |
+| checkpoint.http_host | Domain name of the server that the HTTP request is sent to. | keyword |
+| checkpoint.http_location | Response header, indicates the URL to redirect a page to. | keyword |
+| checkpoint.http_server | Server HTTP header value, contains information about the software used by the origin server, which handles the request. | keyword |
+| checkpoint.https_inspection_action | HTTPS inspection action (Inspect/Bypass/Error). | keyword |
+| checkpoint.https_inspection_rule_id | ID of the matched rule. | keyword |
+| checkpoint.https_inspection_rule_name | Name of the matched rule. | keyword |
+| checkpoint.https_validation | Precise error, describing HTTPS inspection failure. | keyword |
+| checkpoint.icap_more_info | Free text for verdict. | integer |
+| checkpoint.icap_server_name | Server name. | keyword |
+| checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword |
+| checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer |
+| checkpoint.icmp | Number of packets, received by the client. | keyword |
+| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long |
+| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long |
+| checkpoint.id | Override application ID. | integer |
+| checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword |
+| checkpoint.ike_ids | All QM ids. | keyword |
+| checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword |
+| checkpoint.incident_extension | Matched data type. | keyword |
+| checkpoint.indicator_description | IOC indicator description. | keyword |
+| checkpoint.indicator_name | IOC indicator name. | keyword |
+| checkpoint.indicator_reference | IOC indicator reference. | keyword |
+| checkpoint.indicator_uuid | IOC indicator uuid. | keyword |
+| checkpoint.info | Special log message. | keyword |
+| checkpoint.information | Policy installation status for a specific blade. | keyword |
+| checkpoint.inspection_category | Inspection category: protocol anomaly, signature etc. | keyword |
+| checkpoint.inspection_item | Blade element performed inspection. | keyword |
+| checkpoint.inspection_profile | Profile which the activated protection belongs to. | keyword |
+| checkpoint.inspection_settings_log | Indicats that the log was released by inspection settings. | keyword |
+| checkpoint.installed_products | List of installed Endpoint Software Blades. | keyword |
+| checkpoint.int_end | Subscriber end int which will be used for NAT. | integer |
+| checkpoint.int_start | Subscriber start int which will be used for NAT. | integer |
+| checkpoint.interface_name | Designated interface for mirror And decrypt. | keyword |
+| checkpoint.internal_error | Internal error, for troubleshooting | keyword |
+| checkpoint.invalid_file_size | File_size field is valid only if this field is set to 0. | integer |
+| checkpoint.ip_option | IP option that was dropped. | integer |
+| checkpoint.isp_link | Name of ISP link. | keyword |
+| checkpoint.last_hit_time | Last hit time in current interval. | integer |
+| checkpoint.last_rematch_time | Connection rematched time. | keyword |
+| checkpoint.layer_name | Layer name. | keyword |
+| checkpoint.layer_uuid | Layer UUID. | keyword |
+| checkpoint.limit_applied | Indicates whether the session was actually date limited. | integer |
+| checkpoint.limit_requested | Indicates whether data limit was requested for the session. | integer |
+| checkpoint.link_probing_status_update | IP address response status. | keyword |
+| checkpoint.links_num | Number of links in the mail. | integer |
+| checkpoint.log_delay | Time left before deleting template. | integer |
+| checkpoint.log_id | Unique identity for logs. | integer |
+| checkpoint.logid | System messages | keyword |
+| checkpoint.long_desc | More information on the process (usually describing error reason in failure). | keyword |
+| checkpoint.machine | L2TP machine which triggered the log and the log refers to it. | keyword |
+| checkpoint.malware_family | Additional information on protection. | keyword |
+| checkpoint.match_fk | Rule number. | integer |
+| checkpoint.match_id | Private key of the rule | integer |
+| checkpoint.matched_file | Unique ID of the matched data type. | keyword |
+| checkpoint.matched_file_percentage | Fingerprint: match percentage of the traffic. | integer |
+| checkpoint.matched_file_text_segments | Fingerprint: number of text segments matched by this traffic. | integer |
+| checkpoint.media_type | Media used (audio, video, etc.) | keyword |
+| checkpoint.message | ISP link has failed. | keyword |
+| checkpoint.message_info | Used for information messages, for example:NAT connection has ended. | keyword |
+| checkpoint.message_size | Mail/post size. | integer |
+| checkpoint.method | HTTP method. | keyword |
+| checkpoint.methods | IPSEc methods. | keyword |
+| checkpoint.mime_from | Sender's address. | keyword |
+| checkpoint.mime_to | List of receiver address. | keyword |
+| checkpoint.mirror_and_decrypt_type | Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). | keyword |
+| checkpoint.mitre_collection | The adversary is trying to collect data of interest to achieve his goal. | keyword |
+| checkpoint.mitre_command_and_control | The adversary is trying to communicate with compromised systems in order to control them. | keyword |
+| checkpoint.mitre_credential_access | The adversary is trying to steal account names and passwords. | keyword |
+| checkpoint.mitre_defense_evasion | The adversary is trying to avoid being detected. | keyword |
+| checkpoint.mitre_discovery | The adversary is trying to expose information about your environment. | keyword |
+| checkpoint.mitre_execution | The adversary is trying to run malicious code. | keyword |
+| checkpoint.mitre_exfiltration | The adversary is trying to steal data. | keyword |
+| checkpoint.mitre_impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. | keyword |
+| checkpoint.mitre_initial_access | The adversary is trying to break into your network. | keyword |
+| checkpoint.mitre_lateral_movement | The adversary is trying to explore your environment. | keyword |
+| checkpoint.mitre_persistence | The adversary is trying to maintain his foothold. | keyword |
+| checkpoint.mitre_privilege_escalation | The adversary is trying to gain higher-level permissions. | keyword |
+| checkpoint.monitor_reason | Aggregated logs of monitored packets. | keyword |
+| checkpoint.msgid | Message ID. | keyword |
+| checkpoint.name | Application name. | keyword |
+| checkpoint.nat46 | NAT 46 status, in most cases "enabled". | keyword |
+| checkpoint.nat_addtnl_rulenum | When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. | integer |
+| checkpoint.nat_exhausted_pool | 4-tuple of an exhausted pool. | keyword |
+| checkpoint.nat_rulenum | NAT rulebase first matched rule. | integer |
+| checkpoint.needs_browse_time | Browse time required for the connection. | integer |
+| checkpoint.next_hop_ip | Next hop IP address. | keyword |
+| checkpoint.next_scheduled_scan_date | Next scan scheduled time according to time object. | keyword |
+| checkpoint.number_of_errors | Number of files that were not scanned due to an error. | integer |
+| checkpoint.objecttable | Table of affected objects. | keyword |
+| checkpoint.objecttype | The type of the affected object. | keyword |
+| checkpoint.observable_comment | IOC observable signature description. | keyword |
+| checkpoint.observable_id | IOC observable signature id. | keyword |
+| checkpoint.observable_name | IOC observable signature name. | keyword |
+| checkpoint.operation | Operation made by Threat Extraction. | keyword |
+| checkpoint.operation_number | The operation nuber. | keyword |
+| checkpoint.origin_sic_name | Machine SIC. | keyword |
+| checkpoint.original_queue_id | Original postfix email queue id. | keyword |
+| checkpoint.outgoing_url | URL related to this log (for HTTP). | keyword |
+| checkpoint.packet_amount | Amount of packets dropped. | integer |
+| checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword |
+| checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword |
+| checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword |
+| checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword |
+| checkpoint.parent_process_username | Owner username of the parent process of the process that triggered the attack. | keyword |
+| checkpoint.parent_rule | Parent rule number, in case of inline layer. | integer |
+| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip |
+| checkpoint.peer_ip | IP address which the client connects to. | keyword |
+| checkpoint.peer_ip_probing_status_update | IP address response status. | keyword |
+| checkpoint.performance_impact | Protection performance impact. | integer |
+| checkpoint.policy_mgmt | Name of the Management Server that manages this Security Gateway. | keyword |
+| checkpoint.policy_name | Name of the last policy that this Security Gateway fetched. | keyword |
+| checkpoint.ports_usage | Percentage of allocated ports. | integer |
+| checkpoint.ppp | Authentication status. | keyword |
+| checkpoint.precise_error | HTTP parser error. | keyword |
+| checkpoint.process_username | Owner username of the process that triggered the attack. | keyword |
+| checkpoint.properties | Application categories. | keyword |
+| checkpoint.protection_id | Protection malware id. | keyword |
+| checkpoint.protection_name | Specific signature name of the attack. | keyword |
+| checkpoint.protection_type | Type of protection used to detect the attack. | keyword |
+| checkpoint.protocol | Protocol detected on the connection. | keyword |
+| checkpoint.proxy_machine_name | Machine name connected to proxy IP. | integer |
+| checkpoint.proxy_src_ip | Sender source IP (even when using proxy). | ip |
+| checkpoint.proxy_user_dn | User distinguished name connected to proxy IP. | keyword |
+| checkpoint.proxy_user_name | User name connected to proxy IP. | keyword |
+| checkpoint.query | DNS query. | keyword |
+| checkpoint.question_rdata | List of question records domains. | keyword |
+| checkpoint.referrer | Referrer HTTP request header, previous web page address. | keyword |
+| checkpoint.referrer_parent_uid | Log UUID of the referring application. | keyword |
+| checkpoint.referrer_self_uid | UUID of the current log. | keyword |
+| checkpoint.registered_ip-phones | Registered IP-Phones. | keyword |
+| checkpoint.reject_category | Authentication failure reason. | keyword |
+| checkpoint.reject_id | A reject ID that corresponds to the one presented in the Mobile Access error page. | keyword |
+| checkpoint.rematch_info | Information sent when old connections cannot be matched during policy installation. | keyword |
+| checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword |
+| checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer |
+| checkpoint.risk | Risk level we got from the engine. | keyword |
+| checkpoint.rpc_prog | Log for new RPC state - prog values. | integer |
+| checkpoint.rule | Matched rule number. | integer |
+| checkpoint.rule_action | Action of the matched rule in the access policy. | keyword |
+| checkpoint.rulebase_id | Layer number. | integer |
+| checkpoint.scan_direction | Scan direction. | keyword |
+| checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer |
+| checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer |
+| checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer |
+| checkpoint.scan_id | Sequential number of scan. | keyword |
+| checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer |
+| checkpoint.scan_results | "Infected"/description of a failure. | keyword |
+| checkpoint.scheme | Describes the scheme used for the log. | keyword |
+| checkpoint.scope | IP related to the attack. | keyword |
+| checkpoint.scrub_activity | The result of the extraction | keyword |
+| checkpoint.scrub_download_time | File download time from resource. | keyword |
+| checkpoint.scrub_time | Extraction process duration. | keyword |
+| checkpoint.scrub_total_time | Threat extraction total file handling time. | keyword |
+| checkpoint.scrubbed_content | Active content that was found. | keyword |
+| checkpoint.sctp_association_state | The bad state you were trying to update to. | keyword |
+| checkpoint.sctp_error | Error information, what caused sctp to fail on out_of_state. | keyword |
+| checkpoint.scv_message_info | Drop reason. | keyword |
+| checkpoint.scv_user | Username whose packets are dropped on SCV. | keyword |
+| checkpoint.securexl_message | Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. | keyword |
+| checkpoint.session_id | Log uuid. | keyword |
+| checkpoint.session_uid | HTTP session-id. | keyword |
+| checkpoint.short_desc | Short description of the process that was executed. | keyword |
+| checkpoint.sig_id | Application's signature ID which how it was detected by. | keyword |
+| checkpoint.similar_communication | Network action found similar to the malicious file. | keyword |
+| checkpoint.similar_hashes | Hashes found similar to the malicious file. | keyword |
+| checkpoint.similar_strings | Strings found similar to the malicious file. | keyword |
+| checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword |
+| checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword |
+| checkpoint.site_name | Site name. | keyword |
+| checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword |
+| checkpoint.source_object | Matched object name on source column. | keyword |
+| checkpoint.source_os | OS which generated the attack. | keyword |
+| checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer |
+| checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword |
+| checkpoint.speed | Current scan speed. | integer |
+| checkpoint.spyware_name | Spyware name. | keyword |
+| checkpoint.spyware_type | Spyware type. | keyword |
+| checkpoint.src_country | Country name, derived from connection source IP address. | keyword |
+| checkpoint.src_phone_number | Source IP-Phone. | keyword |
+| checkpoint.src_user_dn | User distinguished name connected to source IP. | keyword |
+| checkpoint.src_user_name | User name connected to source IP | keyword |
+| checkpoint.srckeyid | Initiator Spi ID. | keyword |
+| checkpoint.status | Ok/Warning/Error. | keyword |
+| checkpoint.status_update | Last time log was updated. | keyword |
+| checkpoint.sub_policy_name | Layer name. | keyword |
+| checkpoint.sub_policy_uid | Layer uid. | keyword |
+| checkpoint.subscriber | Source IP before CGNAT. | ip |
+| checkpoint.summary | Summary message of a non-compliant DNS traffic drops or detects. | keyword |
+| checkpoint.suppressed_logs | Aggregated connections for five minutes on the same source, destination and port. | integer |
+| checkpoint.sync | Sync status and the reason (stable, at risk). | keyword |
+| checkpoint.sys_message | System messages | keyword |
+| checkpoint.tcp_end_reason | Reason for TCP connection closure. | keyword |
+| checkpoint.tcp_flags | TCP packet flags (SYN, ACK, etc.,). | keyword |
+| checkpoint.tcp_packet_out_of_state | State violation. | keyword |
+| checkpoint.tcp_state | Log reinting a tcp state change. | keyword |
+| checkpoint.te_verdict_determined_by | Emulators determined file verdict. | keyword |
+| checkpoint.ticket_id | Unique ID per file. | keyword |
+| checkpoint.tls_server_host_name | SNI/CN from encrypted TLS connection used by URLF for categorization. | keyword |
+| checkpoint.top_archive_file_name | In case of archive file: the file that was sent/received. | keyword |
+| checkpoint.total_attachments | The number of attachments in an email. | integer |
+| checkpoint.triggered_by | The name of the mechanism that triggered the Software Blade to enforce a protection. | keyword |
+| checkpoint.trusted_domain | In case of phishing event, the domain, which the attacker was impersonating. | keyword |
+| checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer |
+| checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer |
+| checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer |
+| checkpoint.update_status | Status of database update | keyword |
+| checkpoint.url | Translated URL. | keyword |
+| checkpoint.user | Source user name. | keyword |
+| checkpoint.user_agent | String identifying requesting software user agent. | keyword |
+| checkpoint.vendor_list | The vendor name that provided the verdict for a malicious URL. | keyword |
+| checkpoint.verdict | TE engine verdict Possible values: Malicious/Benign/Error. | keyword |
+| checkpoint.via | Via header is added by proxies for tracking purposes to avoid sending reqests in loop. | keyword |
+| checkpoint.voip_attach_action_info | Attachment action Info. | keyword |
+| checkpoint.voip_attach_sz | Attachment size. | integer |
+| checkpoint.voip_call_dir | Call direction: in/out. | keyword |
+| checkpoint.voip_call_id | Call-ID. | keyword |
+| checkpoint.voip_call_state | Call state. Possible values: in/out. | keyword |
+| checkpoint.voip_call_term_time | Call termination time stamp. | keyword |
+| checkpoint.voip_config | Configuration. | keyword |
+| checkpoint.voip_duration | Call duration (seconds). | keyword |
+| checkpoint.voip_est_codec | Estimated codec. | keyword |
+| checkpoint.voip_exp | Expiration. | integer |
+| checkpoint.voip_from_user_type | Source IP-Phone type. | keyword |
+| checkpoint.voip_log_type | VoIP log types. Possible values: reject, call, registration. | keyword |
+| checkpoint.voip_media_codec | Estimated codec. | keyword |
+| checkpoint.voip_media_ipp | Media IP protocol. | keyword |
+| checkpoint.voip_media_port | Media int. | keyword |
+| checkpoint.voip_method | Registration request. | keyword |
+| checkpoint.voip_reason_info | Information. | keyword |
+| checkpoint.voip_reg_int | Registration port. | integer |
+| checkpoint.voip_reg_ipp | Registration IP protocol. | integer |
+| checkpoint.voip_reg_period | Registration period. | integer |
+| checkpoint.voip_reg_server | Registrar server IP address. | ip |
+| checkpoint.voip_reg_user_type | Registered IP-Phone type. | keyword |
+| checkpoint.voip_reject_reason | Reject reason. | keyword |
+| checkpoint.voip_to_user_type | Destination IP-Phone type. | keyword |
+| checkpoint.vpn_feature_name | L2TP /IKE / Link Selection. | keyword |
+| checkpoint.watermark | Reports whether watermark is added to the cleaned file. | keyword |
+| checkpoint.web_server_type | Web server detected in the HTTP response. | keyword |
+| checkpoint.word_list | Words matched by data type. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.service.name | Name of the service data is collected from. | keyword |
+| destination.user.email | User email address. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | match_only_text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address of logs received over the network. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.email | User email address. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+
diff --git a/packages/checkpoint/1.3.5/img/checkpoint-logo.svg b/packages/checkpoint/1.3.5/img/checkpoint-logo.svg
new file mode 100755
index 0000000000..e71866e78c
--- /dev/null
+++ b/packages/checkpoint/1.3.5/img/checkpoint-logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/checkpoint/1.3.5/manifest.yml b/packages/checkpoint/1.3.5/manifest.yml
new file mode 100755
index 0000000000..eda8fa7bec
--- /dev/null
+++ b/packages/checkpoint/1.3.5/manifest.yml
@@ -0,0 +1,109 @@
+name: checkpoint
+title: Check Point
+version: 1.3.5
+release: ga
+description: Collect logs from Check Point with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/checkpoint-logo.svg
+ title: Check Point
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: checkpoint
+ title: Check Point logs
+ description: Collect logs from Check Point instances
+ inputs:
+ - type: logfile
+ title: "Collect Check Point firewall logs (input: logfile)"
+ description: "Collecting firewall logs from Check Point instances (input: logfile)"
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ default:
+ - trust
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ default:
+ - untrust
+ - type: tcp
+ vars:
+ - name: syslog_host
+ type: text
+ title: Syslog Host
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: syslog_port
+ type: integer
+ title: Syslog Port
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ title: "Collect Check Point firewall logs (input: tcp)"
+ description: "Collecting firewall logs from Check Point instances (input: tcp)"
+ - type: udp
+ vars:
+ - name: syslog_host
+ type: text
+ title: Syslog Host
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: syslog_port
+ type: integer
+ title: Syslog Port
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ title: "Collect Check Point firewall logs (input: udp)"
+ description: "Collecting firewall logs from Check Point instances (input: udp)"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/cisco_ftd/2.0.3/changelog.yml b/packages/cisco_ftd/2.0.3/changelog.yml
new file mode 100755
index 0000000000..542c1ac491
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/changelog.yml
@@ -0,0 +1,61 @@
+# newer versions go on top
+- version: "2.0.3"
+ changes:
+ - description: Make fields agree with ECS
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3018
+- version: "2.0.2"
+ changes:
+ - description: Update observer to ftd and idps to better match this integration.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2551
+- version: "2.0.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "2.0.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2391
+- version: "1.2.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2258
+- version: "1.1.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1954
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1806
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1783
+- version: "1.0.1"
+ changes:
+ - description: Adding missing ECS fields
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1731
+- version: "1.0.0"
+ changes:
+ - description: Initial version to split Cisco FTD out from the general Cisco package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1586
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..28ea4aaa98
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..e129442a23
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,16 @@
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1a9ed3a9a8
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1962 @@
+---
+description: "Pipeline for Cisco FTD logs"
+processors:
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ #
+ # Parse the syslog header
+ #
+ # This populates the host.hostname, process.name, timestamp and other fields
+ # from the header and stores the message contents in _temp_.full_message.
+ - grok:
+ field: event.original
+ patterns:
+ - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
+ pattern_definitions:
+ SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?"
+ SYSLOGFACILITY: "<%{NONNEGINT:syslog.facility.code:int}(?:.%{NONNEGINT:syslog.priority:int})?>"
+ # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424.
+ FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})"
+ ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?"
+ PROCESS: "(?:[^%\\s:\\[]+)"
+ SYSLOG_END: "(?:(:|\\s)\\s+)"
+ # exactly match the syntax for firepower management logs
+ PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})"
+ HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?"
+
+ #
+ # Parse FTD/ASA style message
+ #
+ # This parses the header of an EMBLEM-style message for FTD and ASA prefixes.
+ - grok:
+ field: _temp_.full_message
+ patterns:
+ - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}"
+ # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header.
+ - "%{GREEDYDATA:message}"
+ pattern_definitions:
+ FTD_SUFFIX: "[^0-9-]+"
+ # Before version 6.3, FTD used ASA prefix in syslog messages
+ FTD_PREFIX: "%{DATA}%(?:[A-Z]+)"
+
+ #
+ # Create missing fields when no %FTD label is present
+ #
+ # message_id is needed in order for some processors below to work.
+ - set:
+ field: _temp_.cisco.message_id
+ value: ""
+ if: "ctx?._temp_?.cisco?.message_id == null"
+
+ #
+ # set default event.severity to 7 (debug):
+ #
+ # This value is read from the EMBLEM header and won't be present if this is not
+ # an emblem message (firewalls can be configured to report other kinds of events)
+ - set:
+ field: event.severity
+ value: 7
+ if: "ctx?.event?.severity == null"
+
+ #
+ # Parse the date included in FTD logs
+ #
+ - date:
+ if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+ - date:
+ if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null"
+ timezone: "{{ event.timezone }}"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+
+ #
+ # Set log.level
+ #
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 0"
+ value: unknown
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 1"
+ value: alert
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 2"
+ value: critical
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 3"
+ value: error
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 4"
+ value: warning
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 5"
+ value: notification
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 6"
+ value: informational
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 7"
+ value: debug
+
+ #
+ # Firewall messages
+ #
+ # This set of messages is shared between FTD and ASA.
+ - set:
+ if: 'ctx._temp_.cisco.message_id != ""'
+ field: "event.action"
+ value: "firewall-rule"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106001'"
+ field: "message"
+ description: "106001"
+ pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106002'"
+ field: "message"
+ description: "106002"
+ pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106006'"
+ field: "message"
+ description: "106006"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106007'"
+ field: "message"
+ description: "106007"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106010'"
+ field: "message"
+ description: "106010"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "message"
+ description: "106013"
+ pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.transport"
+ description: "106013"
+ value: icmp
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.direction"
+ description: "106013"
+ value: inbound
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106014'"
+ field: "message"
+ description: "106014"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106015'"
+ field: "message"
+ description: "106015"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106016'"
+ field: "message"
+ pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106016"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106017'"
+ field: "message"
+ pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}"
+ description: "106017"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106018'"
+ field: "message"
+ pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ description: "106018"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106020'"
+ field: "message"
+ pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}"
+ description: "106020"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106021'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106021"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106022'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106022"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106023'"
+ field: "message"
+ description: "106023"
+ patterns:
+ - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106027'"
+ field: "message"
+ description: "106027"
+ pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106100'"
+ field: "message"
+ description: "106100"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'"
+ field: "message"
+ description: "106103"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ field: "message"
+ description: "111004"
+ pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "success"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "failure"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'"
+ - remove:
+ field: _temp_.cisco.cli_outcome
+ ignore_missing: true
+ - append:
+ field: event.type
+ description: "111004"
+ value: "change"
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111009'"
+ description: "111009"
+ field: "message"
+ patterns:
+ - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111010'"
+ field: "message"
+ description: "111010"
+ patterns:
+ - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '113019'"
+ field: "message"
+ description: "113019"
+ pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
+ - grok:
+ if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "302013, 302015"
+ patterns:
+ - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '303002'"
+ field: "message"
+ description: "303002"
+ pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302012'"
+ field: "message"
+ description: "302012"
+ pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '302020'"
+ field: "message"
+ description: "302020"
+ patterns:
+ - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?"
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302022'"
+ field: "message"
+ description: "302022"
+ pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302023'"
+ field: "message"
+ description: "302023"
+ pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "message"
+ description: "304001"
+ patterns:
+ - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "event.outcome"
+ description: "304001"
+ value: success
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '304002'"
+ field: "message"
+ description: "304002"
+ pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '305011'"
+ field: "message"
+ description: "305011"
+ patterns:
+ - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port}
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313001'"
+ field: "message"
+ description: "313001"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313004'"
+ field: "message"
+ description: "313004"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313005'"
+ field: "message"
+ description: "313005"
+ pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313008'"
+ field: "message"
+ description: "313008"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313009'"
+ field: "message"
+ description: "313009"
+ pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '322001'"
+ field: "message"
+ description: "322001"
+ pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "message"
+ description: "338001"
+ pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "server.domain"
+ description: "338001"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "message"
+ description: "338002"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "server.domain"
+ description: "338002"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338003'"
+ field: "message"
+ description: "338003"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338004'"
+ field: "message"
+ description: "338004"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "message"
+ description: "338005"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "server.domain"
+ description: "338005"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "message"
+ description: "338006"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "server.domain"
+ description: "338006"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338007'"
+ field: "message"
+ description: "338007"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338008'"
+ field: "message"
+ description: "338008"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "message"
+ description: "338101"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "server.domain"
+ description: "338101"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "message"
+ description: "338102"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "server.domain"
+ description: "338102"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338103'"
+ field: "message"
+ description: "338103"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338104'"
+ field: "message"
+ description: "338104"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "message"
+ description: "338201"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "server.domain"
+ description: "338201"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "message"
+ description: "338202"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "server.domain"
+ description: "338202"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "message"
+ description: "338203"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "server.domain"
+ description: "338203"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "message"
+ description: "338204"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "server.domain"
+ description: "338204"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "message"
+ description: "338301"
+ pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.address"
+ description: "338301"
+ value: "{{destination.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.port"
+ description: "338301"
+ value: "{{destination.port}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.address"
+ description: "338301"
+ value: "{{source.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.port"
+ description: "338301"
+ value: "{{source.port}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "message"
+ description: "502103"
+ pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.type"
+ description: "502103"
+ value:
+ - "group"
+ - "change"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.category"
+ description: "502103"
+ value: "iam"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '507003'"
+ field: "message"
+ description: "507003"
+ pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}"
+ - dissect:
+ if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "605004, 605005"
+ pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609001'"
+ field: "message"
+ description: "609001"
+ pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609002'"
+ field: "message"
+ description: "609002"
+ pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}"
+ - dissect:
+ if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "611102, 611101"
+ pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710003'"
+ field: "message"
+ description: "710003"
+ pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710005'"
+ field: "message"
+ description: "710005"
+ pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713049'"
+ field: "message"
+ description: "713049"
+ pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '716002'"
+ field: "message"
+ description: "716002"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '722051'"
+ field: "message"
+ description: "722051"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}"
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '733100'"
+ field: "message"
+ description: "733100"
+ pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '734001'"
+ field: "message"
+ description: "734001"
+ pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805001'"
+ field: "message"
+ description: "805001"
+ pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805002'"
+ field: "message"
+ description: "805002"
+ pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - split:
+ field: "_temp_.cisco.dap_records"
+ separator: ",\\s+"
+ ignore_missing: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434002'"
+ field: "message"
+ pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434004'"
+ field: "message"
+ pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '110002'"
+ field: "message"
+ pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '419002'"
+ field: "message"
+ pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}"
+ - dissect:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750002'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713120'"
+ field: "message"
+ pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713202'"
+ field: "message"
+ pattern: "IP = %{source.address}, %{event.reason}. %{} packet."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750003'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
+ - grok:
+ if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ patterns:
+ - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$"
+ # Handle ecs action outcome protocol
+ - set:
+ if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "unknown"
+ - set:
+ if: '["419002"].contains(ctx._temp_.cisco.message_id)'
+ field: "network.protocol"
+ value: "tcp"
+ - set:
+ if: '["110002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "failure"
+ - set:
+ if: '["713120"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "failure"
+ - set:
+ if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "connection-started"
+ - set:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "error"
+ - append:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.type"
+ value: "error"
+
+ #
+ # Handle 302xxx messages (Flow expiration a.k.a "Teardown")
+ #
+ - set:
+ if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "flow-expiration"
+ description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002"
+ - grok:
+ field: "message"
+ if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
+ description: "302014, 302016, 302018, 302021, 302036, 302304, 302306"
+ patterns:
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes})
+ - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+
+ #
+ # Decode FTD's Security Event Syslog Messages
+ #
+ # 43000x messages are security event syslog messages specific to FTD.
+ # Format is a comma-separated sequence of key: value pairs.
+ #
+ # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value}
+ - kv:
+ if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "430001, 430002, 430003, 430004, 430005"
+ field_split: ",(?=[A-za-z1-9\\s]+:)"
+ value_split: ":"
+ target_field: "_temp_.orig_security"
+ trim_key: " "
+ trim_value: " "
+ ignore_failure: true
+
+ #
+ # Remove _temp_.full_message.
+ #
+ # The field has been used as temporary buffer while decoding. The full message
+ # is kept under event.original. Processors below can still add a message field, as some
+ # security events contain an explanatory Message field.
+ - remove:
+ field:
+ - message
+ - _temp_.full_message
+ ignore_missing: true
+
+ #
+ # Populate ECS fields from Security Events
+ #
+ # This script uses the key-value pairs from Security Events to populate
+ # the appropriate ECS fields.
+ #
+ # A single key can be mapped to multiple ECS fields, and more than one key can
+ # map to the same ECS field, which results in an array being created.
+ #
+ # This script performs an additional job:
+ #
+ # Before FTD version 6.3, the message_id was not included in Security Events.
+ # As this field encodes the kind of event (intrusion, connection, malware...)
+ # the script below will guess the right message_id from the keys present in
+ # the event.
+ #
+ # The reason for overloading this script with different behaviors is
+ # that this pipeline is already reaching the limit on script compilations.
+ #
+ #*******************************************************************************
+ # Code generated by go generate. DO NOT EDIT.
+ #*******************************************************************************
+ - script:
+ if: ctx._temp_?.orig_security != null
+ params:
+ ACPolicy:
+ target: ac_policy
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleAction:
+ target: access_control_rule_action
+ id: ["430002", "430003"]
+ ecs: [event.outcome]
+ AccessControlRuleName:
+ target: access_control_rule_name
+ id: ["430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleReason:
+ target: access_control_rule_reason
+ id: ["430002", "430003"]
+ ApplicationProtocol:
+ target: application_protocol
+ ecs: [network.protocol]
+ ArchiveDepth:
+ target: archive_depth
+ id: ["430004", "430005"]
+ ArchiveFileName:
+ target: archive_file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ ArchiveFileStatus:
+ target: archive_file_status
+ id: ["430004", "430005"]
+ ArchiveSHA256:
+ target: archive_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ Classification:
+ target: classification
+ id: ["430001"]
+ Client:
+ target: client
+ ecs: [network.application]
+ ClientVersion:
+ target: client_version
+ id: ["430002", "430003"]
+ ConnectionDuration:
+ target: connection_duration
+ id: ["430003"]
+ ecs: [event.duration]
+ DNS_Sinkhole:
+ target: dns_sinkhole
+ id: ["430002", "430003"]
+ DNS_TTL:
+ target: dns_ttl
+ id: ["430002", "430003"]
+ DNSQuery:
+ target: dns_query
+ id: ["430002", "430003"]
+ ecs: [dns.question.name]
+ DNSRecordType:
+ target: dns_record_type
+ id: ["430002", "430003"]
+ ecs: [dns.question.type]
+ DNSResponseType:
+ target: dns_response_type
+ id: ["430002", "430003"]
+ ecs: [dns.response_code]
+ DNSSICategory:
+ target: dnssi_category
+ id: ["430002", "430003"]
+ DstIP:
+ target: dst_ip
+ ecs: [destination.address]
+ DstPort:
+ target: dst_port
+ ecs: [destination.port]
+ EgressInterface:
+ target: egress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.destination_interface]
+ EgressZone:
+ target: egress_zone
+ id: ["430001", "430002", "430003"]
+ Endpoint Profile:
+ target: endpoint_profile
+ id: ["430002", "430003"]
+ FileAction:
+ target: file_action
+ id: ["430004", "430005"]
+ FileCount:
+ target: file_count
+ id: ["430002", "430003"]
+ FileDirection:
+ target: file_direction
+ id: ["430004", "430005"]
+ FileName:
+ target: file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ FilePolicy:
+ target: file_policy
+ id: ["430004", "430005"]
+ ecs: [_temp_.cisco.rule_name]
+ FileSHA256:
+ target: file_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ FileSandboxStatus:
+ target: file_sandbox_status
+ id: ["430004", "430005"]
+ FileSize:
+ target: file_size
+ id: ["430004", "430005"]
+ ecs: [file.size]
+ FileStorageStatus:
+ target: file_storage_status
+ id: ["430004", "430005"]
+ FileType:
+ target: file_type
+ id: ["430004", "430005"]
+ FirstPacketSecond:
+ target: first_packet_second
+ id: ["430004", "430005"]
+ ecs: [event.start]
+ GID:
+ target: gid
+ id: ["430001"]
+ ecs: [service.id]
+ HTTPReferer:
+ target: http_referer
+ id: ["430002", "430003"]
+ ecs: [http.request.referrer]
+ HTTPResponse:
+ target: http_response
+ id: ["430001", "430002", "430003"]
+ ecs: [http.response.status_code]
+ ICMPCode:
+ target: icmp_code
+ id: ["430001", "430002", "430003"]
+ ICMPType:
+ target: icmp_type
+ id: ["430001", "430002", "430003"]
+ IPReputationSICategory:
+ target: ip_reputation_si_category
+ id: ["430002", "430003"]
+ IPSCount:
+ target: ips_count
+ id: ["430002", "430003"]
+ IngressInterface:
+ target: ingress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.source_interface]
+ IngressZone:
+ target: ingress_zone
+ id: ["430001", "430002", "430003"]
+ InitiatorBytes:
+ target: initiator_bytes
+ id: ["430003"]
+ ecs: [source.bytes]
+ InitiatorPackets:
+ target: initiator_packets
+ id: ["430003"]
+ ecs: [source.packets]
+ InlineResult:
+ target: inline_result
+ id: ["430001"]
+ ecs: [event.outcome]
+ IntrusionPolicy:
+ target: intrusion_policy
+ id: ["430001"]
+ ecs: [_temp_.cisco.rule_name]
+ MPLS_Label:
+ target: mpls_label
+ id: ["430001"]
+ Message:
+ target: message
+ id: ["430001"]
+ ecs: [message]
+ NAPPolicy:
+ target: nap_policy
+ id: ["430001", "430002", "430003"]
+ NetBIOSDomain:
+ target: net_bios_domain
+ id: ["430002", "430003"]
+ ecs: [host.hostname]
+ NumIOC:
+ target: num_ioc
+ id: ["430001"]
+ Prefilter Policy:
+ target: prefilter_policy
+ id: ["430002", "430003"]
+ Priority:
+ target: priority
+ id: ["430001"]
+ Protocol:
+ target: protocol
+ ecs: [network.transport]
+ ReferencedHost:
+ target: referenced_host
+ id: ["430002", "430003"]
+ ecs: [url.domain]
+ ResponderBytes:
+ target: responder_bytes
+ id: ["430003"]
+ ecs: [destination.bytes]
+ ResponderPackets:
+ target: responder_packets
+ id: ["430003"]
+ ecs: [destination.packets]
+ Revision:
+ target: revision
+ id: ["430001"]
+ SHA_Disposition:
+ target: sha_disposition
+ id: ["430004", "430005"]
+ SID:
+ target: sid
+ id: ["430001"]
+ SSLActualAction:
+ target: ssl_actual_action
+ ecs: [event.outcome]
+ SSLCertificate:
+ target: ssl_certificate
+ id: ["430002", "430003", "430004", "430005"]
+ SSLExpectedAction:
+ target: ssl_expected_action
+ id: ["430002", "430003"]
+ SSLFlowStatus:
+ target: ssl_flow_status
+ id: ["430002", "430003", "430004", "430005"]
+ SSLPolicy:
+ target: ssl_policy
+ id: ["430002", "430003"]
+ SSLRuleName:
+ target: ssl_rule_name
+ id: ["430002", "430003"]
+ SSLServerCertStatus:
+ target: ssl_server_cert_status
+ id: ["430002", "430003"]
+ SSLServerName:
+ target: ssl_server_name
+ id: ["430002", "430003"]
+ ecs: [server.domain]
+ SSLSessionID:
+ target: ssl_session_id
+ id: ["430002", "430003"]
+ SSLTicketID:
+ target: ssl_ticket_id
+ id: ["430002", "430003"]
+ SSLURLCategory:
+ target: sslurl_category
+ id: ["430002", "430003"]
+ SSLVersion:
+ target: ssl_version
+ id: ["430002", "430003"]
+ SSSLCipherSuite:
+ target: sssl_cipher_suite
+ id: ["430002", "430003"]
+ SecIntMatchingIP:
+ target: sec_int_matching_ip
+ id: ["430002", "430003"]
+ Security Group:
+ target: security_group
+ id: ["430002", "430003"]
+ SperoDisposition:
+ target: spero_disposition
+ id: ["430004", "430005"]
+ SrcIP:
+ target: src_ip
+ ecs: [source.address]
+ SrcPort:
+ target: src_port
+ ecs: [source.port]
+ TCPFlags:
+ target: tcp_flags
+ id: ["430002", "430003"]
+ ThreatName:
+ target: threat_name
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_category]
+ ThreatScore:
+ target: threat_score
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_level]
+ Tunnel or Prefilter Rule:
+ target: tunnel_or_prefilter_rule
+ id: ["430002", "430003"]
+ URI:
+ target: uri
+ id: ["430004", "430005"]
+ ecs: [url.original]
+ URL:
+ target: url
+ id: ["430002", "430003"]
+ ecs: [url.original]
+ URLCategory:
+ target: url_category
+ id: ["430002", "430003"]
+ URLReputation:
+ target: url_reputation
+ id: ["430002", "430003"]
+ URLSICategory:
+ target: urlsi_category
+ id: ["430002", "430003"]
+ User:
+ target: user
+ ecs: [user.id, user.name]
+ UserAgent:
+ target: user_agent
+ id: ["430002", "430003"]
+ ecs: [user_agent.original]
+ VLAN_ID:
+ target: vlan_id
+ id: ["430001", "430002", "430003"]
+ WebApplication:
+ target: web_application
+ ecs: [network.application]
+ originalClientSrcIP:
+ target: original_client_src_ip
+ id: ["430002", "430003"]
+ ecs: [client.address]
+ lang: painless
+ source: |
+ boolean isEmpty(def value) {
+ return (value instanceof AbstractList? value.size() : value.length()) == 0;
+ }
+ def appendOrCreate(Map dest, String[] path, def value) {
+ for (int i=0; i new HashMap());
+ }
+ String key = path[path.length - 1];
+ def existing = dest.get(key);
+ return existing == null?
+ dest.put(key, value)
+ : existing instanceof AbstractList?
+ existing.add(value)
+ : dest.put(key, new ArrayList([existing, value]));
+ }
+ def msg = ctx._temp_.orig_security;
+ def counters = new HashMap();
+ def dest = new HashMap();
+ ctx._temp_.cisco['security'] = dest;
+ for (entry in msg.entrySet()) {
+ def param = params.get(entry.getKey());
+ if (param == null) {
+ continue;
+ }
+ param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );
+ if (!isEmpty(entry.getValue())) {
+ param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );
+ dest[param.target] = entry.getValue();
+ }
+ }
+ if (ctx._temp_.cisco.message_id != "") return;
+ def best;
+ for (entry in counters.entrySet()) {
+ if (best == null || best.getValue() < entry.getValue()) best = entry;
+ }
+ if (best != null) ctx._temp_.cisco.message_id = best.getKey();
+ #*******************************************************************************
+ # End of generated code.
+ #*******************************************************************************
+
+ #
+ # Normalize ECS field values
+ #
+ - script:
+ lang: painless
+ params:
+ "ctx._temp_.cisco.message_id":
+ target: event.action
+ map:
+ "430001": intrusion-detected
+ "430002": connection-started
+ "430003": connection-finished
+ "430004": file-detected
+ "430005": malware-detected
+ "dns.question.type":
+ map:
+ "a host address": A
+ "ip6 address": AAAA
+ "text strings": TXT
+ "a domain name pointer": PTR
+ "an authoritative name server": NS
+ "the canonical name for an alias": CNAME
+ "marks the start of a zone of authority": SOA
+ "mail exchange": MX
+ "server selection": SRV
+ "dns.response_code":
+ map:
+ "non-existent domain": NXDOMAIN
+ "server failure": SERVFAIL
+ "query refused": REFUSED
+ "no error": NOERROR
+ source: |
+ def getField(Map src, String[] path) {
+ for (int i=0; i new HashMap());
+ }
+ dest[path[path.length-1]] = value;
+ }
+ for (entry in params.entrySet()) {
+ def srcField = entry.getKey();
+ def param = entry.getValue();
+ String oldVal = getField(ctx, srcField.splitOnToken('.'));
+ if (oldVal == null) continue;
+ def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);
+ if (newVal != null) {
+ def dstField = param.getOrDefault('target', srcField);
+ setField(ctx, dstField.splitOnToken('.'), newVal);
+ }
+ }
+ - set:
+ if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null"
+ field: dns.response_code
+ value: NOERROR
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430001"'
+ field: event.action
+ value: intrusion-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430002"'
+ field: event.action
+ value: connection-started
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430003"'
+ field: event.action
+ value: connection-finished
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430004"'
+ field: event.action
+ value: file-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430005"'
+ field: event.action
+ value: malware-detected
+
+ #
+ # Handle event.duration
+ #
+ # It can be set from ConnectionDuration FTD field above. This field holds
+ # seconds as a string. Copy it to _temp_.duration_hms so that the following
+ # processor converts it to the right value and populates start and end.
+ - set:
+ field: "_temp_.duration_hms"
+ value: "{{event.duration}}"
+ ignore_empty_value: true
+
+ #
+ # Process the flow duration "hh:mm:ss" present in some messages
+ # This will fill event.start, event.end and event.duration
+ #
+ - script:
+ lang: painless
+ if: "ctx?._temp_?.duration_hms != null"
+ source: >
+ long parse_hms(String s) {
+ long cur = 0, total = 0;
+ for (char c: s.toCharArray()) {
+ if (c >= (char)'0' && c <= (char)'9') {
+ cur = (cur*10) + (long)c - (char)'0';
+ } else if (c == (char)':') {
+ total = (total + cur) * 60;
+ cur = 0;
+ } else {
+ return 0;
+ }
+ }
+ return total + cur;
+ }
+ if (ctx?.event == null) {
+ ctx['event'] = new HashMap();
+ }
+ String end = ctx['@timestamp'];
+ ctx.event['end'] = end;
+ long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L;
+ ctx.event['duration'] = nanos;
+ ctx.event['start'] = ZonedDateTime.ofInstant(
+ Instant.parse(end).minusNanos(nanos),
+ ZoneOffset.UTC);
+ #
+ # Normalize protocol names
+ #
+ - lowercase:
+ field: "network.transport"
+ ignore_failure: true
+ - lowercase:
+ field: "network.protocol"
+ ignore_failure: true
+ - lowercase:
+ field: "network.application"
+ ignore_failure: true
+ - lowercase:
+ field: "file.type"
+ ignore_failure: true
+ - lowercase:
+ field: "network.direction"
+ ignore_failure: true
+ - lowercase:
+ field: "network.type"
+ ignore_failure: true
+ #
+ # Populate network.iana_number from network.transport. Also does reverse
+ # mapping in case network.transport contains the iana_number.
+ #
+ - script:
+ if: "ctx?.network?.transport != null"
+ lang: painless
+ params:
+ icmp: 1
+ igmp: 2
+ ipv4: 4
+ tcp: 6
+ egp: 8
+ igp: 9
+ pup: 12
+ udp: 17
+ rdp: 27
+ irtp: 28
+ dccp: 33
+ idpr: 35
+ ipv6: 41
+ ipv6-route: 43
+ ipv6-frag: 44
+ rsvp: 46
+ gre: 47
+ esp: 50
+ ipv6-icmp: 58
+ ipv6-nonxt: 59
+ ipv6-opts: 60
+ source: >
+ def net = ctx.network;
+ def iana = params[net.transport];
+ if (iana != null) {
+ net['iana_number'] = iana;
+ return;
+ }
+ def reverse = new HashMap();
+ def[] arr = new def[] { null };
+ for (entry in params.entrySet()) {
+ arr[0] = entry.getValue();
+ reverse.put(String.format("%d", arr), entry.getKey());
+ }
+ def trans = reverse[net.transport];
+ if (trans != null) {
+ net['iana_number'] = net.transport;
+ net['transport'] = trans;
+ }
+ #
+ # Normalize event.outcome
+ #
+ - lowercase:
+ field: "event.outcome"
+ ignore_missing: true
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "est-allowed"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "permitted"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "allow"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "denied"'
+ value: failure
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "deny"'
+ value: failure
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "dropped"'
+ value: failure
+ - set:
+ field: "network.transport"
+ if: 'ctx.network?.transport == "icmpv6"'
+ value: "ipv6-icmp"
+ #
+ # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string
+ #
+ - convert:
+ field: source.port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: destination.port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: source.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: destination.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: network.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: source.packets
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: destination.packets
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.mapped_source_port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.mapped_destination_port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.icmp_code
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.icmp_type
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: http.response.status_code
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: file.size
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: network.iana_number
+ type: string
+ ignore_failure: true
+ #
+ # Assign ECS .ip fields from .address is a valid IP address is found,
+ # otherwise set .domain field.
+ #
+ - grok:
+ field: source.address
+ patterns:
+ - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$"
+ ignore_failure: true
+ - grok:
+ field: destination.address
+ patterns:
+ - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$"
+ ignore_failure: true
+ - grok:
+ field: client.address
+ patterns:
+ - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$"
+ ignore_failure: true
+ - grok:
+ field: server.address
+ patterns:
+ - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$"
+ ignore_failure: true
+ #
+ # Geolocation for source and destination addresses
+ #
+ - geoip:
+ field: "source.ip"
+ target_field: "source.geo"
+ ignore_missing: true
+ - geoip:
+ field: "destination.ip"
+ target_field: "destination.geo"
+ ignore_missing: true
+ #
+ # IP Autonomous System (AS) Lookup
+ #
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ #
+ # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address.
+ #
+ - grok:
+ field: _temp_.natsrcip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$"
+ ignore_failure: true
+ - grok:
+ field: _temp_.natdstip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$"
+ ignore_failure: true
+ #
+ # NAT fields
+ #
+ # The firewall always populates mapped ip and port even if there was no NAT.
+ # This populates both nat.ip and nat.port only when some translation is done.
+ # Fills nat.ip and nat.port even when only the ip or port changed.
+ - set:
+ field: source.nat.ip
+ value: "{{_temp_.cisco.mapped_source_ip}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: source.nat.port
+ value: "{{_temp_.cisco.mapped_source_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.port
+ type: long
+ ignore_missing: true
+ - set:
+ field: destination.nat.ip
+ value: "{{_temp_.cisco.mapped_destination_ip}}"
+ if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: destination.nat.port
+ value: "{{_temp_.cisco.mapped_destination_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.port
+ type: long
+ ignore_missing: true
+ #
+ # Zone-based Network Directionality
+ #
+ # If external and internal zones are specified and our ingress/egress zones are
+ # populated, then we can classify traffic directionality based off of our defined
+ # zones rather than the logs.
+ - set:
+ field: network.direction
+ value: inbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ - set:
+ field: network.direction
+ value: outbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: internal
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: external
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: unknown
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ (
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ ) ||
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ )
+ )
+
+ - set:
+ field: _temp_.url_domain
+ value: "{{url.domain}}"
+ ignore_failure: true
+ if: ctx?.url?.domain != null
+
+ - uri_parts:
+ field: url.original
+ ignore_failure: true
+ if: ctx?.url?.original != null
+ - append:
+ field: url.domain
+ value: "{{_temp_.url_domain}}"
+ ignore_failure: true
+ allow_duplicates: false
+ if: ctx?._temp_?.url_domain != null
+
+ #
+ # Populate ECS event.code
+ #
+ - rename:
+ field: _temp_.cisco.message_id
+ target_field: event.code
+ ignore_failure: true
+ - remove:
+ field:
+ - _temp_.cisco.message_id
+ - event.code
+ if: 'ctx._temp_.cisco.message_id == ""'
+ ignore_failure: true
+ #
+ # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd.
+ #
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.ftd"
+ ignore_failure: true
+ #
+ # Remove temporary fields
+ #
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ #
+ # Rename some 7.x fields
+ #
+ - rename:
+ field: cisco.ftd.list_id
+ target_field: cisco.ftd.rule_name
+ ignore_missing: true
+ # ECS categorization
+ - script:
+ lang: painless
+ params:
+ connection-finished:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ connection-started:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - start
+ file-detected:
+ kind: alert
+ category:
+ - malware
+ type:
+ - info
+ firewall-rule:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ flow-expiration:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ intrusion-detected:
+ kind: alert
+ category:
+ - intrusion_detection
+ type:
+ - info
+ malware-detected:
+ kind: alert
+ category:
+ - malware
+ type:
+ - info
+ bypass:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - change
+ error:
+ kind: event
+ outcome: failure
+ category:
+ - network
+ type:
+ - error
+ deleted:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - deletion
+ - user
+ creation:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - creation
+ - user
+ source: >-
+ if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) {
+ return;
+ }
+ ctx.event.kind = params.get(ctx.event.action).get('kind');
+ ctx.event.category = params.get(ctx.event.action).get('category').clone();
+ ctx.event.type = params.get(ctx.event.action).get('type').clone();
+ if (ctx?.event?.outcome == null) {
+ return;
+ }
+ if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) {
+ if (ctx.event.outcome == 'success') {
+ ctx.event.type.add('allowed');
+ }
+ if (ctx.event.outcome == 'failure') {
+ ctx.event.type.add('denied');
+ }
+ if (ctx.event.outcome == 'block') {
+ ctx.event.type.add('denied');
+ }
+ }
+
+ - set:
+ description: copy destination.user.name to user.name if it is not set
+ field: user.name
+ value: "{{destination.user.name}}"
+ ignore_empty_value: true
+ if: ctx?.user?.name == null
+
+ # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname.
+ - set:
+ field: observer.hostname
+ value: "{{ host.hostname }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.vendor
+ value: "Cisco"
+ ignore_empty_value: true
+ - set:
+ field: observer.type
+ value: "idps"
+ ignore_empty_value: true
+ - set:
+ field: observer.product
+ value: "ftd"
+ ignore_empty_value: true
+ - set:
+ field: observer.egress.interface.name
+ value: "{{ cisco.ftd.destination_interface }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.ingress.interface.name
+ value: "{{ cisco.ftd.source_interface }}"
+ ignore_empty_value: true
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ if: "ctx?.source?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ if: "ctx?.source?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ if: "ctx?.destination?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ if: "ctx?.destination?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{user.name}}"
+ if: ctx?.user?.name != null && ctx?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{server.user.name}}"
+ if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{source.user.name}}"
+ if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{destination.user.name}}"
+ if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.hash
+ value: "{{file.hash.sha256}}"
+ if: "ctx?.file?.hash?.sha256 != null"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{host.hostname}}"
+ if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{observer.hostname}}"
+ if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{destination.domain}}"
+ if: ctx.destination?.domain != null && ctx.destination?.domain != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{source.domain}}"
+ if: ctx.source?.domain != null && ctx.source?.domain != ''
+ allow_duplicates: false
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ # Copy any fields under _temp_.cisco to its final destination. Those can help
+ # with diagnosing the failure.
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.ftd"
+ ignore_failure: true
+ # Remove _temp_ to avoid adding a lot of unnecessary fields to the index.
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.0.3/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..d38a70bd6b
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.source.address
+ type: keyword
+ description: Source address from which the log event was read / sent from.
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.0.3/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..e02b7e2a25
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: cisco_ftd
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: cisco_ftd.log
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.0.3/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..e981c336d5
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/fields/ecs.yml
@@ -0,0 +1,567 @@
+- description: |-
+ Date/time when the event originated.
+ This is the date/time extracted from the event, typically representing when the event was generated by the source.
+ If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+ Required field for all events.
+ name: '@timestamp'
+ type: date
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: client.user.name
+ type: keyword
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Packets sent from the destination to the source.
+ name: destination.packets
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: |-
+ The name being queried.
+ If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+ name: dns.question.name
+ type: keyword
+- description: The type of record being queried.
+ name: dns.question.type
+ type: keyword
+- description: The DNS response code.
+ name: dns.response_code
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Identification code for this event, if one exists.
+ Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+ name: event.code
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the difference between the end and start time.
+ name: event.duration
+ type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Source of the event.
+ Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+ name: event.provider
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+ name: event.timezone
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: file.size
+ type: long
+- description: Referrer for this HTTP request.
+ name: http.request.referrer
+ type: keyword
+- description: HTTP response status code.
+ name: http.response.status_code
+ type: long
+- description: |-
+ Custom key/value pairs.
+ Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+ Example: `docker` and `k8s` labels.
+ name: labels
+ type: object
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: |-
+ Original log level of the log event.
+ If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+ Some examples are `warn`, `err`, `i`, `informational`.
+ name: log.level
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+ For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+ The field value must be normalized to lowercase for querying.
+ name: network.application
+ type: keyword
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+ name: network.inner
+ type: object
+- description: VLAN ID as reported by the observer.
+ name: network.inner.vlan.id
+ type: keyword
+- description: Optional VLAN name as reported by the observer.
+ name: network.inner.vlan.name
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+ The field value must be normalized to lowercase for querying.
+ name: network.protocol
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.egress.interface.name
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Hostname of the observer.
+ name: observer.hostname
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: |-
+ Custom name of the observer.
+ This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+ If no custom name is needed, the field can be left empty.
+ name: observer.name
+ type: keyword
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: Process id.
+ name: process.pid
+ type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
+ This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
+ Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+ name: service.id
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Packets sent from the source to the destination.
+ name: source.packets
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: url.domain
+ type: keyword
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: url.extension
+ type: keyword
+- description: |-
+ Portion of the url after the `#`, such as "top".
+ The `#` is not part of the fragment.
+ name: url.fragment
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.full
+ type: wildcard
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Password of the request.
+ name: url.password
+ type: keyword
+- description: Path of the request, such as "/search".
+ name: url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: url.port
+ type: long
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: url.query
+ type: keyword
+- description: |-
+ The highest registered url domain, stripped of the subdomain.
+ For example, the registered domain for "foo.example.com" is "example.com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+ name: url.registered_domain
+ type: keyword
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: url.scheme
+ type: keyword
+- description: |-
+ The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+ For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+ name: url.subdomain
+ type: keyword
+- description: |-
+ The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+ name: url.top_level_domain
+ type: keyword
+- description: Username of the request.
+ name: url.username
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: server.address
+ type: keyword
+- description: Port of the server.
+ name: server.port
+ type: long
+- description: IP address of the server (IPv4 or IPv6).
+ name: server.ip
+ type: ip
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: server.user.name
+ type: keyword
+- description: |-
+ The domain name of the client system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: client.domain
+ type: keyword
+- description: |-
+ Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: client.address
+ type: keyword
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.0.3/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..cd3a6b2e3a
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/fields/fields.yml
@@ -0,0 +1,155 @@
+- name: cisco.ftd
+ type: group
+ fields:
+ - name: message_id
+ type: keyword
+ description: |
+ The Cisco FTD message identifier.
+ - name: suffix
+ type: keyword
+ description: |
+ Optional suffix after %FTD identifier.
+ - name: source_interface
+ type: keyword
+ description: |
+ Source interface for the flow or event.
+ - name: destination_interface
+ type: keyword
+ description: |
+ Destination interface for the flow or event.
+ - name: rule_name
+ type: keyword
+ description: |
+ Name of the Access Control List rule that matched this event.
+ - name: source_username
+ type: keyword
+ description: |
+ Name of the user that is the source for this event.
+ - name: destination_username
+ type: keyword
+ description: |
+ Name of the user that is the destination for this event.
+ - name: mapped_source_ip
+ type: ip
+ description: |
+ The translated source IP address.
+ - name: mapped_source_port
+ type: long
+ description: |
+ The translated source port.
+ - name: mapped_destination_ip
+ type: ip
+ description: |
+ The translated destination IP address.
+ - name: mapped_destination_port
+ type: long
+ description: |
+ The translated destination port.
+ - name: threat_level
+ type: keyword
+ description: |
+ Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+ - name: threat_category
+ type: keyword
+ description: |
+ Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+ - name: connection_id
+ type: keyword
+ description: |
+ Unique identifier for a flow.
+ - name: icmp_type
+ type: short
+ description: |
+ ICMP type.
+ - name: icmp_code
+ type: short
+ description: |
+ ICMP code.
+ - name: connection_type
+ type: keyword
+ description: |
+ The VPN connection type
+ - name: dap_records
+ type: keyword
+ description: |
+ The assigned DAP records
+ - name: mapped_destination_host
+ type: keyword
+ - name: username
+ type: keyword
+ - name: mapped_source_host
+ type: keyword
+ - name: command_line_arguments
+ default_field: false
+ type: keyword
+ description: |
+ The command line arguments logged by the local audit log
+ - name: assigned_ip
+ default_field: false
+ type: ip
+ description: |
+ The IP address assigned to a VPN client successfully connecting
+ - name: privilege.old
+ default_field: false
+ type: keyword
+ description: |
+ When a users privilege is changed this is the old value
+ - name: privilege.new
+ default_field: false
+ type: keyword
+ description: |
+ When a users privilege is changed this is the new value
+ - name: burst.object
+ default_field: false
+ type: keyword
+ description: |
+ The related object for burst warnings
+ - name: burst.id
+ default_field: false
+ type: keyword
+ description: |
+ The related rate ID for burst warnings
+ - name: burst.current_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current burst rate seen
+ - name: burst.configured_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current configured burst rate
+ - name: burst.avg_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current average burst rate seen
+ - name: burst.configured_avg_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current configured average burst rate allowed
+ - name: burst.cumulative_count
+ default_field: false
+ type: keyword
+ description: |
+ The total count of burst rate hits since the object was created or cleared
+ - name: security
+ type: flattened
+ description: Cisco FTD security event fields.
+ - name: webvpn.group_name
+ type: keyword
+ default_field: false
+ description: |
+ The WebVPN group name the user belongs to
+ - name: termination_user
+ default_field: false
+ type: keyword
+ description: |-
+ AAA name of user requesting termination
+- name: syslog.facility.code
+ type: long
+ description: Syslog numeric facility of the event.
+- name: syslog.priority
+ type: long
+ description: Syslog priority of the event.
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/manifest.yml b/packages/cisco_ftd/2.0.3/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..4c7fab8f5d
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/manifest.yml
@@ -0,0 +1,87 @@
+title: Cisco FTD logs
+type: logs
+streams:
+ - input: udp
+ title: Cisco FTD logs
+ description: Collect Cisco FTD logs
+ template_path: udp.yml.hbs
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-ftd
+ - forwarded
+ - name: udp_host
+ type: text
+ title: UDP host to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: udp_port
+ type: integer
+ title: UDP Port to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: 9003
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: logfile
+ enabled: false
+ title: Cisco FTD logs
+ description: Collect Cisco FTD logs from file
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/cisco-ftd.log
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-ftd
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/cisco_ftd/2.0.3/data_stream/log/sample_event.json b/packages/cisco_ftd/2.0.3/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..f54ade25af
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/data_stream/log/sample_event.json
@@ -0,0 +1,155 @@
+{
+ "@timestamp": "2019-08-16T09:39:03.000Z",
+ "agent": {
+ "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e",
+ "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "cisco": {
+ "ftd": {
+ "rule_name": "malware-and-file-policy",
+ "security": {
+ "application_protocol": "HTTP",
+ "client": "cURL",
+ "dst_ip": "81.2.69.144",
+ "dst_port": "80",
+ "file_action": "Malware Cloud Lookup",
+ "file_direction": "Download",
+ "file_name": "eicar_com.zip",
+ "file_policy": "malware-and-file-policy",
+ "file_sandbox_status": "File Size Is Too Small",
+ "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+ "file_size": "184",
+ "file_storage_status": "Not Stored (Disposition Was Pending)",
+ "file_type": "ZIP",
+ "first_packet_second": "2019-08-16T09:39:02Z",
+ "protocol": "tcp",
+ "sha_disposition": "Unavailable",
+ "spero_disposition": "Spero detection not performed on file",
+ "src_ip": "10.0.1.20",
+ "src_port": "46004",
+ "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+ "uri": "http://www.eicar.org/download/eicar_com.zip",
+ "user": "No Authentication Required"
+ },
+ "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_ftd.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "81.2.69.144",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "malware-detected",
+ "agent_id_status": "verified",
+ "category": [
+ "malware"
+ ],
+ "code": "430005",
+ "dataset": "cisco_ftd.log",
+ "ingested": "2021-12-29T10:08:02Z",
+ "kind": "alert",
+ "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
+ "severity": 1,
+ "start": "2019-08-16T09:39:02Z",
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "hash": {
+ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ },
+ "name": "eicar_com.zip",
+ "size": 184
+ },
+ "host": {
+ "hostname": "firepower"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "level": "alert",
+ "source": {
+ "address": "192.168.128.6:54121"
+ }
+ },
+ "network": {
+ "application": "curl",
+ "iana_number": "6",
+ "protocol": "http",
+ "transport": "tcp"
+ },
+ "observer": {
+ "hostname": "firepower",
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hash": [
+ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ ],
+ "hosts": [
+ "firepower"
+ ],
+ "ip": [
+ "10.0.1.20",
+ "81.2.69.144"
+ ],
+ "user": [
+ "No Authentication Required"
+ ]
+ },
+ "source": {
+ "address": "10.0.1.20",
+ "ip": "10.0.1.20",
+ "port": 46004
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-ftd",
+ "forwarded"
+ ],
+ "url": {
+ "domain": "www.eicar.org",
+ "extension": "zip",
+ "original": "http://www.eicar.org/download/eicar_com.zip",
+ "path": "/download/eicar_com.zip",
+ "scheme": "http"
+ },
+ "user": {
+ "id": "No Authentication Required",
+ "name": "No Authentication Required"
+ }
+}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.3/docs/README.md b/packages/cisco_ftd/2.0.3/docs/README.md
new file mode 100755
index 0000000000..8498022b55
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/docs/README.md
@@ -0,0 +1,390 @@
+# Cisco FTD Integration
+
+This integration is for Cisco Firepower Threat Defence (FTD) device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs.
+
+## Logs
+
+### FTD
+
+The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+ "@timestamp": "2019-08-16T09:39:03.000Z",
+ "agent": {
+ "ephemeral_id": "fb59da35-f6e4-4052-ae20-539243c9049e",
+ "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "cisco": {
+ "ftd": {
+ "rule_name": "malware-and-file-policy",
+ "security": {
+ "application_protocol": "HTTP",
+ "client": "cURL",
+ "dst_ip": "81.2.69.144",
+ "dst_port": "80",
+ "file_action": "Malware Cloud Lookup",
+ "file_direction": "Download",
+ "file_name": "eicar_com.zip",
+ "file_policy": "malware-and-file-policy",
+ "file_sandbox_status": "File Size Is Too Small",
+ "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+ "file_size": "184",
+ "file_storage_status": "Not Stored (Disposition Was Pending)",
+ "file_type": "ZIP",
+ "first_packet_second": "2019-08-16T09:39:02Z",
+ "protocol": "tcp",
+ "sha_disposition": "Unavailable",
+ "spero_disposition": "Spero detection not performed on file",
+ "src_ip": "10.0.1.20",
+ "src_port": "46004",
+ "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+ "uri": "http://www.eicar.org/download/eicar_com.zip",
+ "user": "No Authentication Required"
+ },
+ "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_ftd.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "81.2.69.144",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "7cefd7f8-53e3-4884-ab65-da99d71b166f",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "malware-detected",
+ "agent_id_status": "verified",
+ "category": [
+ "malware"
+ ],
+ "code": "430005",
+ "dataset": "cisco_ftd.log",
+ "ingested": "2021-12-29T10:08:02Z",
+ "kind": "alert",
+ "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip\n",
+ "severity": 1,
+ "start": "2019-08-16T09:39:02Z",
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "hash": {
+ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ },
+ "name": "eicar_com.zip",
+ "size": 184
+ },
+ "host": {
+ "hostname": "firepower"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "level": "alert",
+ "source": {
+ "address": "192.168.128.6:54121"
+ }
+ },
+ "network": {
+ "application": "curl",
+ "iana_number": "6",
+ "protocol": "http",
+ "transport": "tcp"
+ },
+ "observer": {
+ "hostname": "firepower",
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hash": [
+ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ ],
+ "hosts": [
+ "firepower"
+ ],
+ "ip": [
+ "10.0.1.20",
+ "81.2.69.144"
+ ],
+ "user": [
+ "No Authentication Required"
+ ]
+ },
+ "source": {
+ "address": "10.0.1.20",
+ "ip": "10.0.1.20",
+ "port": 46004
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-ftd",
+ "forwarded"
+ ],
+ "url": {
+ "domain": "www.eicar.org",
+ "extension": "zip",
+ "original": "http://www.eicar.org/download/eicar_com.zip",
+ "path": "/download/eicar_com.zip",
+ "scheme": "http"
+ },
+ "user": {
+ "id": "No Authentication Required",
+ "name": "No Authentication Required"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip |
+| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword |
+| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |
+| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword |
+| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword |
+| cisco.ftd.burst.current_rate | The current burst rate seen | keyword |
+| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword |
+| cisco.ftd.burst.object | The related object for burst warnings | keyword |
+| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword |
+| cisco.ftd.connection_id | Unique identifier for a flow. | keyword |
+| cisco.ftd.connection_type | The VPN connection type | keyword |
+| cisco.ftd.dap_records | The assigned DAP records | keyword |
+| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword |
+| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword |
+| cisco.ftd.icmp_code | ICMP code. | short |
+| cisco.ftd.icmp_type | ICMP type. | short |
+| cisco.ftd.mapped_destination_host | | keyword |
+| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip |
+| cisco.ftd.mapped_destination_port | The translated destination port. | long |
+| cisco.ftd.mapped_source_host | | keyword |
+| cisco.ftd.mapped_source_ip | The translated source IP address. | ip |
+| cisco.ftd.mapped_source_port | The translated source port. | long |
+| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword |
+| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword |
+| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword |
+| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword |
+| cisco.ftd.security | Cisco FTD security event fields. | flattened |
+| cisco.ftd.source_interface | Source interface for the flow or event. | keyword |
+| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword |
+| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword |
+| cisco.ftd.termination_user | AAA name of user requesting termination | keyword |
+| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword |
+| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword |
+| cisco.ftd.username | | keyword |
+| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.response_code | The DNS response code. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.status_code | HTTP response status code. | long |
+| input.type | Input type. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object |
+| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword |
+| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| syslog.facility.code | Syslog numeric facility of the event. | long |
+| syslog.priority | Syslog priority of the event. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| url.username | Username of the request. | keyword |
+| user.email | User email address. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/cisco_ftd/2.0.3/img/cisco.svg b/packages/cisco_ftd/2.0.3/img/cisco.svg
new file mode 100755
index 0000000000..20ebebf197
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/img/cisco.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.0.3/manifest.yml b/packages/cisco_ftd/2.0.3/manifest.yml
new file mode 100755
index 0000000000..a8de9f596b
--- /dev/null
+++ b/packages/cisco_ftd/2.0.3/manifest.yml
@@ -0,0 +1,31 @@
+format_version: 1.0.0
+name: cisco_ftd
+title: Cisco FTD
+version: 2.0.3
+license: basic
+description: Collect logs from Cisco FTD with Elastic Agent.
+type: integration
+categories:
+ - network
+ - security
+release: ga
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/cisco.svg
+ title: cisco
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: cisco_ftd
+ title: Cisco FTD logs
+ description: Collect logs from Cisco FTD instances
+ inputs:
+ - type: udp
+ title: Collect logs from Cisco FTD via UDP
+ description: Collecting logs from Cisco FTD via UDP
+ - type: logfile
+ title: Collect logs from Cisco FTD via file
+ description: Collecting logs from Cisco FTD via file
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_abusech/1.2.3/changelog.yml b/packages/ti_abusech/1.2.3/changelog.yml
new file mode 100755
index 0000000000..92b8615399
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/changelog.yml
@@ -0,0 +1,76 @@
+# newer versions go on top
+- version: "1.2.3"
+ changes:
+ - description: Add mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.2.2"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.1"
+ changes:
+ - description: Fix field mapping conflicts in `threat.indicator.file.x509.not_before/not_after`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2893
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2445
+- version: "1.1.5"
+ changes:
+ - description: Removes extra tag from dashboards
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2544
+- version: "1.1.4"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.1.3"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.1.2"
+ changes:
+ - description: Fixing typo in base-fields.yml
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2331
+- version: "1.1.1"
+ changes:
+ - description: Update ECS fields for threat.feed.name
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2293
+- version: "1.1.0"
+ changes:
+ - description: Adding dashboards and adding minor tweaks to pipeline
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2072
+- version: "1.0.4"
+ changes:
+ - description: Bump minimum version in manifest
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2072
+- version: "1.0.3"
+ changes:
+ - description: Bump minimum version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2063
+- version: "1.0.2"
+ changes:
+ - description: Update title and description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1997
+- version: "1.0.1"
+ changes:
+ - description: Fix invisible package icon
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1939
+- version: "1.0.0"
+ changes:
+ - description: Initial Release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1866
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.2.3/data_stream/malware/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..457acc00d6
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,38 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Content-Type
+ value: application/json
+
+response.split:
+ target: body.payloads
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.2.3/data_stream/malware/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..8dcc275ab0
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,156 @@
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.malware
+ - fingerprint:
+ fields:
+ - abusech.malware.md5_hash
+ - abusech.malware.sha256_hash
+ target_field: "_id"
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - date:
+ field: abusech.malware.firstseen
+ target_field: threat.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd HH:mm:ss z"
+ - "yyyy-MM-dd HH:mm:ss Z"
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.abusech?.malware?.firstseen != null"
+ - set:
+ field: threat.indicator.type
+ value: file
+ - rename:
+ field: abusech.malware.file_size
+ target_field: threat.indicator.file.size
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.file_type
+ target_field: threat.indicator.file.type
+ ignore_missing: true
+ # This includes a direct link to malicious files, we do not want them to appear in Kibana
+ # in case they are accidently clicked.
+ - remove:
+ field: abusech.malware.urlhaus_download
+ ignore_missing: true
+ - convert:
+ field: threat.indicator.file.size
+ type: long
+ ignore_missing: true
+ - convert:
+ field: abusech.malware.virustotal.percent
+ type: float
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.md5_hash
+ target_field: threat.indicator.file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.sha256_hash
+ target_field: threat.indicator.file.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.imphash
+ target_field: threat.indicator.file.pe.imphash
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.ssdeep
+ target_field: threat.indicator.file.hash.ssdeep
+ ignore_missing: true
+ - rename:
+ field: abusech.malware.tlsh
+ target_field: threat.indicator.file.hash.tlsh
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value: "{{{threat.indicator.file.hash.md5}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.md5 != null
+ - append:
+ field: related.hash
+ value: "{{{threat.indicator.file.hash.sha256}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
+ - append:
+ field: related.hash
+ value: "{{{threat.indicator.file.hash.ssdeep}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
+ - append:
+ field: related.hash
+ value: "{{{threat.indicator.file.pe.imphash}}}"
+ if: ctx?.threat?.indicator?.file?.pe?.imphash != null
+ - append:
+ field: related.hash
+ value: "{{{threat.indicator.file.hash.tlsh}}}"
+ if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx?.threat?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx?.abusech != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - abusech.malware.firstseen
+ - message
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/fields/agent.yml b/packages/ti_abusech/1.2.3/data_stream/malware/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/fields/base-fields.yml b/packages/ti_abusech/1.2.3/data_stream/malware/fields/base-fields.yml
new file mode 100755
index 0000000000..6803389c14
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_abusech
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_abusech.malware
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: AbuseCH Malware
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/fields/beats.yml b/packages/ti_abusech/1.2.3/data_stream/malware/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/fields/ecs.yml b/packages/ti_abusech/1.2.3/data_stream/malware/fields/ecs.yml
new file mode 100755
index 0000000000..b819e36147
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/fields/ecs.yml
@@ -0,0 +1,111 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: threat.indicator.file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: threat.indicator.file.type
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: |-
+ A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
+ name: threat.indicator.file.pe.imphash
+ type: keyword
+- description: SSDEEP hash.
+ name: threat.indicator.file.hash.ssdeep
+ type: keyword
+- description: The file's import tlsh, if available.
+ name: threat.indicator.file.hash.tlsh
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/fields/fields.yml b/packages/ti_abusech/1.2.3/data_stream/malware/fields/fields.yml
new file mode 100755
index 0000000000..970fa42a04
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/fields/fields.yml
@@ -0,0 +1,24 @@
+- name: abusech.malware
+ type: group
+ description: All fields related to AbuseCH URL indicators.
+ fields:
+ - name: signature
+ type: keyword
+ description: >
+ Malware familiy.
+
+ - name: virustotal.result
+ type: keyword
+ description: >
+ AV detection ration.
+
+ - name: virustotal.percent
+ type: float
+ description: >
+ AV detection in percent.
+
+ - name: virustotal.link
+ type: keyword
+ description: >
+ Link to the Virustotal report.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/manifest.yml b/packages/ti_abusech/1.2.3/data_stream/malware/manifest.yml
new file mode 100755
index 0000000000..9b986685b1
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/manifest.yml
@@ -0,0 +1,68 @@
+type: logs
+title: AbuseCH Malware logs
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: AbuseCH Malware API endpoint
+ multi: false
+ required: true
+ show_user: false
+ default: https://urlhaus-api.abuse.ch/v1/payloads/recent/
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - abusech-malware
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: AbuseCH Malware logs
+ description: Collect AbuseCH Malware logs
diff --git a/packages/ti_abusech/1.2.3/data_stream/malware/sample_event.json b/packages/ti_abusech/1.2.3/data_stream/malware/sample_event.json
new file mode 100755
index 0000000000..5800635b7c
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malware/sample_event.json
@@ -0,0 +1,69 @@
+{
+ "@timestamp": "2022-04-11T08:43:51.252Z",
+ "abusech": {
+ "malware": {}
+ },
+ "agent": {
+ "ephemeral_id": "3c096aaa-3fd9-4560-87fe-375b99890402",
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_abusech.malware",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:43:51.252Z",
+ "dataset": "ti_abusech.malware",
+ "ingested": "2022-04-11T08:43:52Z",
+ "kind": "enrichment",
+ "original": "{\"file_size\":\"1563\",\"file_type\":\"unknown\",\"firstseen\":\"2021-10-05 04:17:02\",\"imphash\":null,\"md5_hash\":\"9cd5a4f0231a47823c4adba7c8ef370f\",\"sha256_hash\":\"7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2\",\"signature\":null,\"ssdeep\":\"48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n\",\"tlsh\":\"T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1\",\"urlhaus_download\":\"https://urlhaus-api.abuse.ch/v1/download/7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2/\",\"virustotal\":null}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hash": [
+ "9cd5a4f0231a47823c4adba7c8ef370f",
+ "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2",
+ "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n",
+ "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "abusech-malware"
+ ],
+ "threat": {
+ "indicator": {
+ "file": {
+ "hash": {
+ "md5": "9cd5a4f0231a47823c4adba7c8ef370f",
+ "sha256": "7c0852d514df7faf8fdbfa4f358cc235dd1b1a2d843cc65495d03b502e4099f2",
+ "ssdeep": "48:yazkS7neW+mfe4CJjNXcq5Co4Fr1PpsHn:yrmGNt5mbP2n",
+ "tlsh": "T109314C5E7822CA70B91AD69300C22D8C2F53EAF229E6686C3BDD4C86FA1344208CF1"
+ },
+ "pe": {},
+ "size": 1563,
+ "type": "unknown"
+ },
+ "first_seen": "2021-10-05T04:17:02.000Z",
+ "type": "file"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..1684323a35
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,44 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "POST"
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+- set:
+ target: url.params.query
+ value: get_recent
+- set:
+ target: url.params.selector
+ value: time
+
+response.split:
+ target: body.data
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..74ba72f1ed
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,242 @@
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.malwarebazaar
+ - fingerprint:
+ fields:
+ - abusech.malwarebazaar.md5_hash
+ - abusech.malwarebazaar.sha256_hash
+ target_field: "_id"
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - date:
+ field: abusech.malwarebazaar.first_seen
+ target_field: threat.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd HH:mm:ss z"
+ - "yyyy-MM-dd HH:mm:ss Z"
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.abusech?.malwarebazaar?.first_seen != null"
+ - date:
+ field: abusech.malwarebazaar.last_seen
+ target_field: threat.indicator.last_seen
+ formats:
+ - "yyyy-MM-dd HH:mm:ss z"
+ - "yyyy-MM-dd HH:mm:ss Z"
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.abusech?.malwarebazaar?.last_seen != null"
+ - set:
+ field: threat.indicator.type
+ value: file
+ - rename:
+ field: abusech.malwarebazaar.file_name
+ target_field: threat.indicator.file.name
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.file_type_mime
+ target_field: threat.indicator.file.mime_type
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.reporter
+ target_field: threat.indicator.provider
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.origin_country
+ target_field: threat.indicator.geo.country_iso_code
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.signature
+ target_field: threat.software.alias
+ ignore_missing: true
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.subject_cn
+ target_field: threat.indicator.file.x509.subject.common_name
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.issuer_cn
+ target_field: threat.indicator.file.x509.issuer.common_name
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.algorithm
+ target_field: threat.indicator.file.x509.public_key_algorithm
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.valid_from
+ target_field: threat.indicator.file.x509.not_before
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.valid_to
+ target_field: threat.indicator.file.x509.not_after
+ - foreach:
+ field: abusech.malwarebazaar.code_sign
+ ignore_missing: true
+ processor:
+ rename:
+ field: _ingest._value.serial_number
+ target_field: threat.indicator.file.x509.serial_number
+ - rename:
+ field: abusech.malwarebazaar.file_size
+ target_field: threat.indicator.file.size
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.file_type
+ target_field: threat.indicator.file.extension
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.md5_hash
+ target_field: threat.indicator.file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.sha256_hash
+ target_field: threat.indicator.file.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.sha1_hash
+ target_field: threat.indicator.file.hash.sha1
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.sha3_384_hash
+ target_field: threat.indicator.file.hash.sha384
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.imphash
+ target_field: threat.indicator.file.pe.imphash
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.ssdeep
+ target_field: threat.indicator.file.hash.ssdeep
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.tlsh
+ target_field: threat.indicator.file.hash.tlsh
+ ignore_missing: true
+ - rename:
+ field: abusech.malwarebazaar.telfhash
+ target_field: threat.indicator.file.elf.telfhash
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.hash.md5 }}"
+ if: ctx?.threat?.indicator?.file?.hash?.md5 != null
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.hash.sha256 }}"
+ if: ctx?.threat?.indicator?.file?.hash?.sha256 != null
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.hash.ssdeep }}"
+ if: ctx?.threat?.indicator?.file?.hash?.ssdeep != null
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.pe.imphash }}"
+ if: ctx?.threat?.indicator?.file?.pe?.imphash != null
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.elf.telfhash }}"
+ if: ctx?.threat?.indicator?.file?.elf?.telfhash != null
+ - append:
+ field: related.hash
+ value: "{{ threat.indicator.file.hash.tlsh }}"
+ if: ctx?.threat?.indicator?.file?.hash?.tlsh != null
+ - convert:
+ field: threat.indicator.file.size
+ type: long
+ ignore_missing: true
+ - convert:
+ field: abusech.malwarebazaar.intelligence.downloads
+ type: long
+ ignore_missing: true
+ - convert:
+ field: abusech.malwarebazaar.intelligence.uploads
+ type: long
+ ignore_missing: true
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx?.threat?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx?.abusech != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - abusech.malwarebazaar.first_seen
+ - abusech.malwarebazaar.last_seen
+ - message
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/agent.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/base-fields.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/base-fields.yml
new file mode 100755
index 0000000000..d71e6e59d4
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_abusech
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_abusech.malwarebazaar
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: AbuseCH MalwareBazaar
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/beats.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/ecs.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/ecs.yml
new file mode 100755
index 0000000000..685f7565cb
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/ecs.yml
@@ -0,0 +1,160 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: threat.indicator.file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: threat.indicator.file.type
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: threat.indicator.file.name
+ type: keyword
+- description: |-
+ File extension, excluding the leading dot.
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.file.extension
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
+ name: threat.indicator.file.mime_type
+ type: keyword
+- description: |-
+ The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.
+ While not required, you can use a MITRE ATT&CK® associated software description.
+ name: threat.software.alias
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: SSDEEP hash.
+ name: threat.indicator.file.hash.ssdeep
+ type: keyword
+- description: The file's sha384 hash, if available.
+ name: threat.indicator.file.hash.sha384
+ type: keyword
+- description: The file's import tlsh, if available.
+ name: threat.indicator.file.hash.tlsh
+ type: keyword
+- description: |-
+ A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
+ name: threat.indicator.file.pe.imphash
+ type: keyword
+- description: telfhash symbol hash for ELF file.
+ name: threat.indicator.file.elf.telfhash
+ type: keyword
+- description: List of common names (CN) of subject.
+ name: threat.indicator.file.x509.subject.common_name
+ type: keyword
+- description: List of common name (CN) of issuing certificate authority.
+ name: threat.indicator.file.x509.issuer.common_name
+ type: keyword
+- description: Algorithm used to generate the public key.
+ name: threat.indicator.file.x509.public_key_algorithm
+ type: keyword
+- description: Time at which the certificate is first considered valid.
+ name: threat.indicator.file.x509.not_before
+ type: date
+- description: Time at which the certificate is no longer considered valid.
+ name: threat.indicator.file.x509.not_after
+ type: date
+- description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
+ name: threat.indicator.file.x509.serial_number
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: Country ISO code.
+ name: threat.indicator.geo.country_iso_code
+ type: keyword
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/fields.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/fields.yml
new file mode 100755
index 0000000000..8fab848b82
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/fields/fields.yml
@@ -0,0 +1,45 @@
+- name: abusech.malwarebazaar
+ type: group
+ description: All fields related to AbuseCH URL indicators.
+ fields:
+ - name: tags
+ type: keyword
+ description: >
+ A list of tags associated with the queried malware sample.
+
+ - name: intelligence
+ type: group
+ fields:
+ - name: downloads
+ type: long
+ description: >
+ Number of downloads from MalwareBazaar.
+
+ - name: uploads
+ type: long
+ description: >
+ Number of uploads from MalwareBazaar.
+
+ - name: mail
+ type: group
+ fields:
+ - name: Generic
+ type: keyword
+ description: >
+ Malware seen in generic spam traffic.
+
+ - name: IT
+ type: keyword
+ description: >
+ Malware seen in IT spam traffic.
+
+ - name: anonymous
+ type: long
+ description: >
+ Identifies if the sample was submitted anonymously.
+
+ - name: code_sign
+ type: keyword
+ description: >
+ Code signing information for the sample.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/manifest.yml b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/manifest.yml
new file mode 100755
index 0000000000..61b6d55edc
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/manifest.yml
@@ -0,0 +1,68 @@
+type: logs
+title: AbuseCH MalwareBazaar logs
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: AbuseCH MalwareBazaar API endpoint
+ multi: false
+ required: true
+ show_user: false
+ default: https://mb-api.abuse.ch/api/v1/
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - abusech-malwarebazaar
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: AbuseCH MalwareBazaar logs
+ description: Collect AbuseCH MalwareBazaar logs
diff --git a/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/sample_event.json b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/sample_event.json
new file mode 100755
index 0000000000..b17ab22ddc
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/malwarebazaar/sample_event.json
@@ -0,0 +1,95 @@
+{
+ "@timestamp": "2022-04-11T08:44:21.828Z",
+ "abusech": {
+ "malwarebazaar": {
+ "anonymous": 0,
+ "code_sign": [],
+ "intelligence": {
+ "downloads": 11,
+ "uploads": 1
+ },
+ "tags": [
+ "exe",
+ "RedLineStealer"
+ ]
+ }
+ },
+ "agent": {
+ "ephemeral_id": "15657330-8e8b-49be-b82d-529320d9c53c",
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_abusech.malwarebazaar",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:44:21.828Z",
+ "dataset": "ti_abusech.malwarebazaar",
+ "ingested": "2022-04-11T08:44:22Z",
+ "kind": "enrichment",
+ "original": "{\"anonymous\":0,\"code_sign\":[],\"dhash_icon\":null,\"file_name\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe\",\"file_size\":432640,\"file_type\":\"exe\",\"file_type_mime\":\"application/x-dosexec\",\"first_seen\":\"2021-10-05 14:02:45\",\"imphash\":\"f34d5f2d4577ed6d9ceec516c1f5a744\",\"intelligence\":{\"clamav\":null,\"downloads\":\"11\",\"mail\":null,\"uploads\":\"1\"},\"last_seen\":null,\"md5_hash\":\"1fc1c2997c8f55ac10496b88e23f5320\",\"origin_country\":\"FR\",\"reporter\":\"abuse_ch\",\"sha1_hash\":\"42c7153680d7402e56fe022d1024aab49a9901a0\",\"sha256_hash\":\"7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28\",\"sha3_384_hash\":\"d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955\",\"signature\":\"RedLineStealer\",\"ssdeep\":\"12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL\",\"tags\":[\"exe\",\"RedLineStealer\"],\"telfhash\":null,\"tlsh\":\"T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hash": [
+ "1fc1c2997c8f55ac10496b88e23f5320",
+ "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28",
+ "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL",
+ "f34d5f2d4577ed6d9ceec516c1f5a744",
+ "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "abusech-malwarebazaar"
+ ],
+ "threat": {
+ "indicator": {
+ "file": {
+ "elf": {},
+ "extension": "exe",
+ "hash": {
+ "md5": "1fc1c2997c8f55ac10496b88e23f5320",
+ "sha1": "42c7153680d7402e56fe022d1024aab49a9901a0",
+ "sha256": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e78fd28b2253ea755c28",
+ "sha384": "d63e73b68973bc73ab559549aeee2141a48b8a3724aabc0d81fb14603c163a098a5a10be9f6d33b888602906c0d89955",
+ "ssdeep": "12288:jhhl1Eo+iEXvpb1C7drqAd1uUaJvzXGyO2F5V3bS1jsTacr:7lL",
+ "tlsh": "T13794242864BFC05994E3EEA12DDCA8FBD99A55E3640C743301B4633B8B52B84DE4F479"
+ },
+ "mime_type": "application/x-dosexec",
+ "name": "7a6c03013a2f2ab8b9e8e7e5d226ea89e75da72c1519e.exe",
+ "pe": {
+ "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744"
+ },
+ "size": 432640
+ },
+ "first_seen": "2021-10-05T14:02:45.000Z",
+ "geo": {
+ "country_iso_code": "FR"
+ },
+ "provider": "abuse_ch",
+ "type": "file"
+ },
+ "software": {
+ "alias": "RedLineStealer"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/agent/stream/httpjson.yml.hbs b/packages/ti_abusech/1.2.3/data_stream/url/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..92be22f0b6
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,38 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Content-Type
+ value: application/json
+
+response.split:
+ target: body.urls
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/1.2.3/data_stream/url/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1765d7608a
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,123 @@
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: abusech.url
+ - fingerprint:
+ fields:
+ - abusech.url.id
+ target_field: "_id"
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - set:
+ field: threat.indicator.type
+ value: url
+ - date:
+ field: abusech.url.date_added
+ target_field: threat.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd HH:mm:ss z"
+ - "yyyy-MM-dd HH:mm:ss Z"
+ if: "ctx.abusech?.url?.date_added != null"
+ - uri_parts:
+ field: abusech.url.url
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ - set:
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
+ ignore_empty_value: true
+ - rename:
+ field: abusech.url.urlhaus_reference
+ target_field: threat.indicator.reference
+ ignore_missing: true
+
+ # Host can be both IP addresses and domain names
+ - grok:
+ field: abusech.url.host
+ patterns:
+ - "(?:%{IP:threat.indicator.ip}|%{GREEDYDATA:threat.indicator.url.domain})"
+ ignore_failure: true
+ - rename:
+ field: abusech.url.reporter
+ target_field: threat.indicator.provider
+ ignore_missing: true
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx?.threat?.indicator?.type == null
+ - convert:
+ field: abusech.url.larted
+ type: boolean
+ ignore_missing: true
+ - script:
+ lang: painless
+ if: ctx?.abusech != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - abusech.url.date_added
+ - abusech.url.url
+ - abusech.url.host
+ - message
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/fields/agent.yml b/packages/ti_abusech/1.2.3/data_stream/url/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/fields/base-fields.yml b/packages/ti_abusech/1.2.3/data_stream/url/fields/base-fields.yml
new file mode 100755
index 0000000000..516451aa4c
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_abusech
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_abusech.url
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: AbuseCH URL
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/fields/beats.yml b/packages/ti_abusech/1.2.3/data_stream/url/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/fields/ecs.yml b/packages/ti_abusech/1.2.3/data_stream/url/fields/ecs.yml
new file mode 100755
index 0000000000..40047f4b1f
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/fields/ecs.yml
@@ -0,0 +1,133 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Reference URL linking to additional information about this indicator.
+ name: threat.indicator.reference
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/fields/fields.yml b/packages/ti_abusech/1.2.3/data_stream/url/fields/fields.yml
new file mode 100755
index 0000000000..63f361d48e
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/fields/fields.yml
@@ -0,0 +1,49 @@
+- name: abusech.url
+ type: group
+ description: All fields related to AbuseCH URL indicators.
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ The ID of the indicator.
+
+ - name: urlhaus_reference
+ type: keyword
+ description: >
+ Link to URLhaus entry.
+
+ - name: url_status
+ type: keyword
+ description: >
+ The current status of the URL. Possible values are: online, offline and unknown.
+
+ - name: threat
+ type: keyword
+ description: >
+ The threat corresponding to this malware URL.
+
+ - name: reporter
+ type: keyword
+ description: >
+ The Twitter handle of the reporter that has reported this malware URL (or anonymous).
+
+ - name: larted
+ type: boolean
+ description: >
+ Indicates whether the malware URL has been reported to the hosting provider (true or false)
+
+ - name: tags
+ type: keyword
+ description: >
+ A list of tags associated with the queried malware URL
+
+ - name: blacklists.spamhaus_dbl
+ type: keyword
+ description: >
+ If the indicator is listed on the spamhaus blacklist.
+
+ - name: blacklists.surbl
+ type: keyword
+ description: >
+ If the indicator is listed on the surbl blacklist.
+
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/manifest.yml b/packages/ti_abusech/1.2.3/data_stream/url/manifest.yml
new file mode 100755
index 0000000000..d138d7f3ac
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/manifest.yml
@@ -0,0 +1,68 @@
+type: logs
+title: AbuseCH URL logs
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: AbuseCH URL API endpoint
+ multi: false
+ required: true
+ show_user: false
+ default: https://urlhaus-api.abuse.ch/v1/urls/recent/
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - abusech-url
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: AbuseCH URL logs
+ description: Collect AbuseCH URL logs
diff --git a/packages/ti_abusech/1.2.3/data_stream/url/sample_event.json b/packages/ti_abusech/1.2.3/data_stream/url/sample_event.json
new file mode 100755
index 0000000000..2ed40825e3
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/data_stream/url/sample_event.json
@@ -0,0 +1,71 @@
+{
+ "@timestamp": "2022-04-11T08:44:51.227Z",
+ "abusech": {
+ "url": {
+ "blacklists": {
+ "spamhaus_dbl": "not listed",
+ "surbl": "not listed"
+ },
+ "id": "1656008",
+ "larted": true,
+ "threat": "malware_download",
+ "url_status": "online"
+ }
+ },
+ "agent": {
+ "ephemeral_id": "7dd3429b-dcc4-46c1-8b32-b3d1452126fd",
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_abusech.url",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "0cd371ed-8f03-437b-909d-8daccf9843fc",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:44:51.227Z",
+ "dataset": "ti_abusech.url",
+ "ingested": "2022-04-11T08:44:52Z",
+ "kind": "enrichment",
+ "original": "{\"blacklists\":{\"spamhaus_dbl\":\"not listed\",\"surbl\":\"not listed\"},\"date_added\":\"2021-10-05 13:57:05 UTC\",\"host\":\"120.85.169.98\",\"id\":\"1656008\",\"larted\":\"true\",\"reporter\":\"tammeto\",\"tags\":null,\"threat\":\"malware_download\",\"url\":\"http://120.85.169.98:55871/mozi.m\",\"url_status\":\"online\",\"urlhaus_reference\":\"https://urlhaus.abuse.ch/url/1656008/\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "abusech-url"
+ ],
+ "threat": {
+ "indicator": {
+ "first_seen": "2021-10-05T13:57:05.000Z",
+ "ip": "120.85.169.98",
+ "provider": "tammeto",
+ "reference": "https://urlhaus.abuse.ch/url/1656008/",
+ "type": "url",
+ "url": {
+ "domain": "120.85.169.98",
+ "extension": "m",
+ "full": "http://120.85.169.98:55871/mozi.m",
+ "original": "http://120.85.169.98:55871/mozi.m",
+ "path": "/mozi.m",
+ "port": 55871,
+ "scheme": "http"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/docs/README.md b/packages/ti_abusech/1.2.3/docs/README.md
new file mode 100755
index 0000000000..7f0e4de6ec
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/docs/README.md
@@ -0,0 +1,262 @@
+# AbuseCH integration
+
+This integration is for AbuseCH logs. It includes the following datasets for retrieving logs from the AbuseCH API:
+
+- `url` dataset: Supports URL based indicators from AbuseCH API.
+- `malware` dataset: Supports Malware based indicators from AbuseCH API.
+- `malwarebazaar` dataset: Supports indicators from the MalwareBazaar from AbuseCH.
+
+## Logs
+
+### URL
+
+The AbuseCH URL data_stream retrieves threat intelligence indicators from the URL API endpoint `https://urlhaus-api.abuse.ch/v1/urls/recent/`.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| abusech.url.blacklists.spamhaus_dbl | If the indicator is listed on the spamhaus blacklist. | keyword |
+| abusech.url.blacklists.surbl | If the indicator is listed on the surbl blacklist. | keyword |
+| abusech.url.id | The ID of the indicator. | keyword |
+| abusech.url.larted | Indicates whether the malware URL has been reported to the hosting provider (true or false) | boolean |
+| abusech.url.reporter | The Twitter handle of the reporter that has reported this malware URL (or anonymous). | keyword |
+| abusech.url.tags | A list of tags associated with the queried malware URL | keyword |
+| abusech.url.threat | The threat corresponding to this malware URL. | keyword |
+| abusech.url.url_status | The current status of the URL. Possible values are: online, offline and unknown. | keyword |
+| abusech.url.urlhaus_reference | Link to URLhaus entry. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+
+
+The AbuseCH malware data_stream retrieves threat intelligence indicators from the payload API endpoint `https://urlhaus-api.abuse.ch/v1/payloads/recent/`.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| abusech.malware.signature | Malware familiy. | keyword |
+| abusech.malware.virustotal.link | Link to the Virustotal report. | keyword |
+| abusech.malware.virustotal.percent | AV detection in percent. | float |
+| abusech.malware.virustotal.result | AV detection ration. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword |
+| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword |
+| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword |
+| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| threat.indicator.file.type | File type (file, dir, or symlink). | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+
+
+The AbuseCH malwarebazaar data_stream retrieves threat intelligence indicators from the MalwareBazaar API endpoint `https://mb-api.abuse.ch/api/v1/`.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| abusech.malwarebazaar.anonymous | Identifies if the sample was submitted anonymously. | long |
+| abusech.malwarebazaar.code_sign | Code signing information for the sample. | keyword |
+| abusech.malwarebazaar.intelligence.downloads | Number of downloads from MalwareBazaar. | long |
+| abusech.malwarebazaar.intelligence.mail.Generic | Malware seen in generic spam traffic. | keyword |
+| abusech.malwarebazaar.intelligence.mail.IT | Malware seen in IT spam traffic. | keyword |
+| abusech.malwarebazaar.intelligence.uploads | Number of uploads from MalwareBazaar. | long |
+| abusech.malwarebazaar.tags | A list of tags associated with the queried malware sample. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.file.elf.telfhash | telfhash symbol hash for ELF file. | keyword |
+| threat.indicator.file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.hash.sha384 | The file's sha384 hash, if available. | keyword |
+| threat.indicator.file.hash.ssdeep | SSDEEP hash. | keyword |
+| threat.indicator.file.hash.tlsh | The file's import tlsh, if available. | keyword |
+| threat.indicator.file.mime_type | MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. | keyword |
+| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword |
+| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword |
+| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| threat.indicator.file.type | File type (file, dir, or symlink). | keyword |
+| threat.indicator.file.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword |
+| threat.indicator.file.x509.not_after | Time at which the certificate is no longer considered valid. | date |
+| threat.indicator.file.x509.not_before | Time at which the certificate is first considered valid. | date |
+| threat.indicator.file.x509.public_key_algorithm | Algorithm used to generate the public key. | keyword |
+| threat.indicator.file.x509.serial_number | Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. | keyword |
+| threat.indicator.file.x509.subject.common_name | List of common names (CN) of subject. | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.geo.country_iso_code | Country ISO code. | keyword |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.software.alias | The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. | keyword |
diff --git a/packages/ti_abusech/1.2.3/img/abusech2.svg b/packages/ti_abusech/1.2.3/img/abusech2.svg
new file mode 100755
index 0000000000..6a0c76dd2c
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/img/abusech2.svg
@@ -0,0 +1,76 @@
+
+
+
diff --git a/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json
new file mode 100755
index 0000000000..59a4a7e24c
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420.json
@@ -0,0 +1,137 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the AbuseCH integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH URLs (This Page)](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420)** \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\":{\"columnOrder\":[\"0389e125-4ae6-412a-a4af-2fa28f18c412\"],\"columns\":{\"0389e125-4ae6-412a-a4af-2fa28f18c412\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.spamhaus_dbl: * and not abusech.url.blacklists.spamhaus_dbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on Spamhaus DBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0389e125-4ae6-412a-a4af-2fa28f18c412\",\"layerId\":\"72aa700a-49b6-4a2f-b380-24ebe7124ec1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"8272f9f8-d835-4e4c-9e63-7cdbfb14d190\",\"title\":\"Spamhaus Count [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\":{\"columnOrder\":[\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\"],\"columns\":{\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.blacklists.surbl: * and not abusech.url.blacklists.surbl:\\\"not listed\\\" \"},\"isBucketed\":false,\"label\":\"Indicators on SURBL\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e7b09852-9ec8-4a42-a3c7-faf909c1997a\",\"layerId\":\"4fe4b45f-8f52-4794-a386-8e3f6352aa25\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6\",\"title\":\"Surbl Counter [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8f36a8c1-19df-4eba-8fa5-4f259d349375\":{\"columnOrder\":[\"efd6bc64-ffcd-42fe-8218-0795986addc4\"],\"columns\":{\"efd6bc64-ffcd-42fe-8218-0795986addc4\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status: \\\"online\\\" \"},\"isBucketed\":false,\"label\":\"URL's Online\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"efd6bc64-ffcd-42fe-8218-0795986addc4\",\"layerId\":\"8f36a8c1-19df-4eba-8fa5-4f259d349375\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"a96389e6-d361-457e-afc1-0dbdb35ee7e0\",\"title\":\"URLs Online [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471ad94f-c181-4ffb-a640-1666974adb33\":{\"columnOrder\":[\"8cd8034f-16bf-4a7a-b816-950498dc1f90\"],\"columns\":{\"8cd8034f-16bf-4a7a-b816-950498dc1f90\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"abusech.url.url_status:\\\"offline\\\" \"},\"isBucketed\":false,\"label\":\"URL's Offline\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8cd8034f-16bf-4a7a-b816-950498dc1f90\",\"layerId\":\"471ad94f-c181-4ffb-a640-1666974adb33\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"b2904153-3afd-41a7-8f5f-01b76b8346ec\",\"title\":\"URLs Offline [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs AbuseCH] URLs",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8272f9f8-d835-4e4c-9e63-7cdbfb14d190:indexpattern-datasource-layer-72aa700a-49b6-4a2f-b380-24ebe7124ec1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7c8e2070-5b71-4eb5-ae52-e95ef5a17ba6:indexpattern-datasource-layer-4fe4b45f-8f52-4794-a386-8e3f6352aa25",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a96389e6-d361-457e-afc1-0dbdb35ee7e0:indexpattern-datasource-layer-8f36a8c1-19df-4eba-8fa5-4f259d349375",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b2904153-3afd-41a7-8f5f-01b76b8346ec:indexpattern-datasource-layer-471ad94f-c181-4ffb-a640-1666974adb33",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json
new file mode 100755
index 0000000000..c27db69f53
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6.json
@@ -0,0 +1,147 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the AbuseCH integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[AbuseCH Overview](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6) \\n**[AbuseCH Files (This Page)](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":46,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Based on count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Most seen indicator tags\",\"field\":\"abusech.malwarebazaar.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Most seen indicator tags [Logs AbuseCH]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"w\":20,\"x\":7,\"y\":27},\"panelIndex\":\"d1788a2e-c400-4d7b-9251-a8e5a806b6ef\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":27},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs AbuseCH] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d1788a2e-c400-4d7b-9251-a8e5a806b6ef:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json
new file mode 100755
index 0000000000..103067d9d5
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/kibana/dashboard/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the AbuseCH integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[AbuseCH Overview (This Page)](/app/dashboards#/view/ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6)** \\n[AbuseCH Files](/app/dashboards#/view/ti_abusech-6a90c980-3b32-11ec-ae50-2fdf1e96c6a6) \\n[AbuseCH URLs](/app/dashboards#/view/ti_abusech-2457fb50-3bc3-11ec-ae8c-7d00429ad420) \\n\\n[Integrations Page](/app/integrations/detail/ti_abusech/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the AbuseCH integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from AbuseCH. \\n\\nIt shows how many parts has been enabled (URL, Malware and MalwareBazaar), the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from AbuseCH.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs AbuseCH] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_abusech-c0d8d1f0-3b20-11ec-ae50-2fdf1e96c6a6",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "name": "tag-ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_abusech/1.2.3/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json
new file mode 100755
index 0000000000..7cf7c3514a
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/kibana/tag/ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "AbuseCH"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_abusech-73511520-3b32-11ec-ae50-2fdf1e96c6a6",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_abusech/1.2.3/manifest.yml b/packages/ti_abusech/1.2.3/manifest.yml
new file mode 100755
index 0000000000..8368a0f80b
--- /dev/null
+++ b/packages/ti_abusech/1.2.3/manifest.yml
@@ -0,0 +1,26 @@
+name: ti_abusech
+title: AbuseCH
+version: 1.2.3
+release: ga
+description: Collect threat intelligence from AbuseCH API with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/abusech2.svg
+ title: AbuseCH
+ size: 512x512
+ type: image/svg+xml
+policy_templates:
+ - name: ti_abusech
+ title: AbuseCH API
+ description: Collect threat intelligence from the AbuseCH API
+ inputs:
+ - type: httpjson
+ title: "Collect AbuseCH logs via API"
+ description: "Collect AbuseCH logs via API"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_anomali/1.2.3/changelog.yml b/packages/ti_anomali/1.2.3/changelog.yml
new file mode 100755
index 0000000000..4dc68d72e1
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/changelog.yml
@@ -0,0 +1,56 @@
+# newer versions go on top
+- version: "1.2.3"
+ changes:
+ - description: Add mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.2.2"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.1"
+ changes:
+ - description: Adding first interval to Anomali Limo policy UI
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2677
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2446
+- version: "1.1.3"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.1.2"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.1.1"
+ changes:
+ - description: Fixing typo in base-fields.yml
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2330
+- version: "1.1.0"
+ changes:
+ - description: Adding dashboards and threat.feed ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2292
+- version: "1.0.2"
+ changes:
+ - description: Bump minimum version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2063
+- version: "1.0.1"
+ changes:
+ - description: Update title and description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1997
+- version: "1.0.0"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1911
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/agent/stream/httpjson.yml.hbs b/packages/ti_anomali/1.2.3/data_stream/limo/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..eabe1ecfca
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,60 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+auth.basic.user: guest
+auth.basic.password: guest
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+request.redirect.forward_headers: true
+
+request.transforms:
+ - set:
+ target: header.Content-Type
+ value: application/vnd.oasis.taxii+json
+ - set:
+ target: header.Accept
+ value: application/vnd.oasis.taxii+json
+ - set:
+ target: header.Range
+ value: items 0-10000
+ - set:
+ target: url.params.match[type]
+ value: indicator
+ - set:
+ target: url.params.added_after
+ value: '[[.cursor.timestamp]]'
+ default: '[[ formatDate (now (parseDuration "-{{first_interval}}")) "2006-01-02T15:04:05.000Z" ]]'
+
+response.split:
+ target: body.objects
+
+cursor:
+ timestamp:
+ value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]'
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.2.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..2e03b4daa0
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,180 @@
+---
+description: Pipeline for parsing Anomali Limo indicators
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: event.ingested
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: anomali.limo
+ - fingerprint:
+ fields:
+ - anomali.limo.id
+ target_field: "_id"
+ ignore_missing: true
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ ## File indicator operations
+ - date:
+ field: anomali.limo.created
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.anomali?.limo?.created != null"
+ - date:
+ field: anomali.limo.modified
+ target_field: anomali.limo.modified
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.anomali?.limo?.modified != null"
+ - date:
+ field: anomali.limo.valid_from
+ target_field: threat.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.anomali?.limo?.valid_from != null"
+ - grok:
+ field: anomali.limo.pattern
+ patterns:
+ - "^\\[%{DATA:_tmp.threattype}:value%{SPACE}=%{SPACE}'%{DATA:_tmp.threatvalue}'\\]"
+ if: ctx.anomali?.limo?.pattern != null
+ - rename:
+ field: _tmp.threattype
+ target_field: threat.indicator.type
+ ignore_missing: true
+ - rename:
+ field: _tmp.threatvalue
+ target_field: threat.indicator.ip
+ ignore_missing: true
+ if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"
+ - uri_parts:
+ field: _tmp.threatvalue
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ if: ctx.threat?.indicator?.type == 'url'
+ - set:
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
+ ignore_empty_value: true
+ - rename:
+ field: _tmp.threatvalue
+ target_field: threat.indicator.email.address
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'email-addr'
+ - rename:
+ field: _tmp.threatvalue
+ target_field: threat.indicator.url.domain
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'domain-name'
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+ - foreach:
+ field: anomali.limo.labels
+ ignore_missing: true
+ processor:
+ append:
+ field: tags
+ value: "{{_ingest._value}}"
+ allow_duplicates: false
+ - grok:
+ field: anomali.limo.description
+ patterns:
+ - "^%{GREEDYDATA}Source: %{GREEDYDATA:threat.indicator.provider}"
+ ignore_missing: true
+ ignore_failure: true
+ ######################
+ # Cleanup processors #
+ ######################
+ - script:
+ lang: painless
+ if: ctx?.threatintel != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - anomali.limo.pattern
+ ignore_missing: true
+ if: ctx.threat?.indicator?.pattern != null && ctx.threat?.indicator?.pattern != 'unknown'
+ - remove:
+ field:
+ - anomali.limo.created
+ - anomali.limo.pattern
+ - message
+ - _tmp
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/fields/agent.yml b/packages/ti_anomali/1.2.3/data_stream/limo/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/fields/base-fields.yml b/packages/ti_anomali/1.2.3/data_stream/limo/fields/base-fields.yml
new file mode 100755
index 0000000000..126260c5af
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_anomali
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_anomali.limo
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: Anomali Limo
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/fields/beats.yml b/packages/ti_anomali/1.2.3/data_stream/limo/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/fields/ecs.yml b/packages/ti_anomali/1.2.3/data_stream/limo/fields/ecs.yml
new file mode 100755
index 0000000000..339e97eba8
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/fields/ecs.yml
@@ -0,0 +1,133 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/fields/fields.yml b/packages/ti_anomali/1.2.3/data_stream/limo/fields/fields.yml
new file mode 100755
index 0000000000..1b2ca9057f
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/fields/fields.yml
@@ -0,0 +1,73 @@
+- name: anomali.limo
+ type: group
+ description: >
+ Fields for Anomali Threat Intel
+
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ The ID of the indicator.
+
+ - name: name
+ type: keyword
+ description: >
+ The name of the indicator.
+
+ - name: pattern
+ type: keyword
+ description: >
+ The pattern ID of the indicator.
+
+ - name: valid_from
+ type: date
+ description: >
+ When the indicator was first found or is considered valid.
+
+ - name: modified
+ type: date
+ description: >
+ When the indicator was last modified
+
+ - name: labels
+ type: keyword
+ description: >
+ The labels related to the indicator
+
+ - name: indicator
+ type: keyword
+ description: >
+ The value of the indicator, for example if the type is domain, this would be the value.
+
+ - name: description
+ type: keyword
+ description: >
+ A description of the indicator.
+
+ - name: title
+ type: keyword
+ description: >
+ Title describing the indicator.
+
+ - name: content
+ type: keyword
+ description: >
+ Extra text or descriptive content related to the indicator.
+
+ - name: type
+ type: keyword
+ description: >
+ The indicator type, can for example be "domain, email, FileHash-SHA256".
+
+ - name: object_marking_refs
+ type: keyword
+ description: >-
+ The STIX reference object.
+ - name: definition_type
+ type: keyword
+ description: >-
+ Indicator tlp/definition type
+ - name: definition.tlp
+ type: keyword
+ description: >-
+ Indicator tlp/definition value
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/manifest.yml b/packages/ti_anomali/1.2.3/data_stream/limo/manifest.yml
new file mode 100755
index 0000000000..278b84f0e7
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/manifest.yml
@@ -0,0 +1,76 @@
+type: logs
+title: Anomali Limo
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: Anomali Limo API URL
+ multi: false
+ required: true
+ show_user: false
+ default: https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 120h
+ description: How far back to look for indicators the first time the agent is started.
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - anomali-limo
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Anomali Limo API
+ description: Collect indicators from the Anomali Limo API
diff --git a/packages/ti_anomali/1.2.3/data_stream/limo/sample_event.json b/packages/ti_anomali/1.2.3/data_stream/limo/sample_event.json
new file mode 100755
index 0000000000..5a4d3e2273
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/limo/sample_event.json
@@ -0,0 +1,56 @@
+{
+ "@timestamp": "2017-01-20T00:00:00.000Z",
+ "agent": {
+ "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4",
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "anomali": {
+ "limo": {
+ "definition": {
+ "tlp": "green"
+ },
+ "definition_type": "tlp",
+ "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
+ "type": "marking-definition"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_anomali.limo",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:51:02.140Z",
+ "dataset": "ti_anomali.limo",
+ "ingested": "2022-04-11T08:51:03Z",
+ "kind": "enrichment",
+ "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "anomali-limo"
+ ],
+ "threat": {
+ "indicator": {
+ "type": "unknown"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs b/packages/ti_anomali/1.2.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs
new file mode 100755
index 0000000000..a38e42a199
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/agent/stream/http_endpoint.yml.hbs
@@ -0,0 +1,47 @@
+type: http_endpoint
+enabled: true
+
+{{#if listen_address}}
+listen_address: {{listen_address}}
+{{/if}}
+{{#if listen_port}}
+listen_port: {{listen_port}}
+{{/if}}
+{{#if url}}
+url: {{url}}
+{{/if}}
+prefix: json
+{{#if content_type}}
+content_type: {{content_type}}
+{{/if}}
+
+{{#if secret}}
+hmac:
+ header: X-Filebeat-Signature
+ key: {{secret}}
+ type: sha256
+ prefix: sha256=
+{{/if}}
+
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+
+{{#if preserve_original_event}}
+preserve_original_event: true
+{{/if}}
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..9d7e1297cb
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,431 @@
+---
+description: Pipeline for parsing Anomali ThreatStream
+processors:
+ #
+ # Set basic ECS fields.
+ #
+ - set:
+ field: event.ingested
+ value: "{{{ _ingest.timestamp }}}"
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - fingerprint:
+ fields:
+ - event.dataset
+ - json.id
+ target_field: "_id"
+ ignore_missing: true
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ #
+ # Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type).
+ #
+ - script:
+ lang: painless
+ if: "ctx.json.itype != null"
+ description: >
+ Map itype field to STIX 2.0 Cyber Observable values (threat.indicator.type).
+ params:
+ actor_ip: ipv4-addr
+ adware_domain: domain-name
+ anon_proxy: ipv4-addr
+ anon_vpn: ipv4-addr
+ apt_domain: domain-name
+ apt_email: email-addr
+ apt_ip: ipv4-addr
+ apt_md5: file
+ apt_subject: email
+ apt_ua: url
+ apt_url: url
+ bot_ip: ipv4-addr
+ brute_ip: ipv4-addr
+ c2_domain: domain-name
+ c2_ip: ipv4-addr
+ c2_url: url
+ comm_proxy_domain: domain-name
+ comm_proxy_ip: ipv4-addr
+ compromised_domain: domain-name
+ compromised_ip: ipv4-addr
+ compromised_url: url
+ crypto_hash: file
+ crypto_ip: ipv4-addr
+ crypto_pool: domain
+ crypto_url: url
+ crypto_wallet: file
+ ddos_ip: ipv4-addr
+ disposable_email_domain: domain-name
+ dyn_dns: domain-name
+ exfil_domain: domain-name
+ exfil_ip: ipv4-addr
+ exfil_url: url
+ exploit_domain: domain-name
+ exploit_ip: ipv4-addr
+ exploit_url: url
+ free_email_domain: domain-name
+ geolocation_url: url
+ hack_tool: file
+ i2p_ip: ipv4-addr
+ ipcheck_url: url
+ mal_domain: domain-name
+ mal_email: email-addr
+ mal_ip: ipv4-addr
+ mal_md5: file
+ mal_sslcert_sh1: x509-certificate
+ mal_sslcert_sha1: x509-certificate
+ mal_ua: url
+ mal_url: url
+ p2pcnc: ipv4-addr
+ parked_domain: domain-name
+ parked_ip: ipv4-addr
+ parked_url: url
+ pastesite_url: url
+ phish_domain: domain-name
+ phish_email: email-addr
+ phish_ip: ipv4-addr
+ phish_url: url
+ proxy_ip: ipv4-addr
+ scan_ip: ipv4-addr
+ sinkhole_domain: domain-name
+ sinkhole_ip: ipv4-addr
+ spam_domain: domain-name
+ spam_email: email-addr
+ spam_ip: ipv4-addr
+ spam_url: url
+ speedtest_url: url
+ ssh_ip: ipv4-addr
+ suppress: suppress
+ suspicious_domain: domain-name
+ suspicious_email: email-addr
+ suspicious_ip: ipv4-addr
+ suspicious_reg_email: email-addr
+ suspicious_url: url
+ tor_ip: ipv4-addr
+ torrent_tracker_url: url
+ vpn_domain: domain-name
+ vps_ip: ipv4-addr
+ whois_bulk_reg_email: email-addr
+ whois_privacy_domain: domain-name
+ whois_privacy_email: email-addr
+ source: >
+ String mapping = params[ctx.json.itype];
+ if (mapping != null) {
+ ctx["threatintel_indicator_type"] = mapping;
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Unable to determine indicator type from "{{{ json.itype }}}": {{{ _ingest.on_failure_message }}}'
+
+ - rename:
+ field: threatintel_indicator_type
+ target_field: threat.indicator.type
+ ignore_missing: true
+
+ #
+ # Detect ipv6 for ipv4-addr types.
+ #
+ - set:
+ field: threat.indicator.type
+ value: ipv6-addr
+ if: 'ctx.threat?.indicator?.type == "ipv4-addr" && ctx.json?.srcip != null && ctx.json.srcip.contains(":")'
+
+ #
+ # Map first and last seen dates.
+ #
+ - date:
+ field: json.date_first
+ target_field: threat.indicator.first_seen
+ formats:
+ - ISO8601
+ if: "ctx.json?.date_first != null"
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Error parsing date_first field value "{{{ json.date_first }}}": {{{ _ingest.on_failure_message }}}'
+
+ - date:
+ field: json.date_last
+ target_field: threat.indicator.last_seen
+ formats:
+ - ISO8601
+ if: "ctx.json?.date_last != null"
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Error parsing date_last field value "{{{ json.date_last }}}": {{{ _ingest.on_failure_message }}}'
+
+ #
+ # Map IP geolocation fields.
+ #
+ - convert:
+ field: json.lat
+ target_field: threat.indicator.geo.location.lat
+ type: double
+ if: "ctx.json?.lat != null && ctx.json?.lon != null"
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Cannot convert lat field "{{{ json.lat }}}" to double: {{{ _ingest.on_failure_message }}}'
+ - convert:
+ field: json.lon
+ target_field: threat.indicator.geo.location.lon
+ type: double
+ if: "ctx.json?.lat != null && ctx.json?.lon != null"
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Cannot convert lon field "{{{ json.lon }}}" to double: {{{ _ingest.on_failure_message }}}'
+
+ #
+ # Map classification field to Traffic Light Protocol (TLP).
+ # Currently:
+ # public => White ("Disclosure is not limited.")
+ # private => Amber ("Limited disclosure, restricted to participants’ organizations.").
+ #
+ - append:
+ field: threat.indicator.marking.tlp
+ value: Amber
+ if: 'ctx.json?.classification == "private"'
+ - append:
+ field: threat.indicator.marking.tlp
+ value: White
+ if: 'ctx.json?.classification == "public"'
+
+ #
+ # Convert confidence field (-1..100) to ECS confidence (0..10).
+ #
+ - script:
+ lang: painless
+ if: ctx.json?.confidence != null
+ description: >
+ Normalize confidence level.
+ source: >
+ def value = ctx.json.confidence;
+ if (value <= 0.0 || value > 100.0) {
+ ctx["threatintel_indicator_confidence"] = "None";
+ return;
+ }
+ if (value >= 1.0 && value <= 29.0) {
+ ctx["threatintel_indicator_confidence"] = "Low";
+ return;
+ }
+ if (value >= 30.0 && value <= 69.0) {
+ ctx["threatintel_indicator_confidence"] = "Med";
+ return;
+ }
+ if (value >= 70 && value <= 100) {
+ ctx["threatintel_indicator_confidence"] = "High";
+ return;
+ }
+ on_failure:
+ - append:
+ field: error.message
+ value: "failed to normalize confidence value `{{{ json.confidence }}}`: {{{ _ingest.on_failure_message }}}"
+
+ - rename:
+ field: threatintel_indicator_confidence
+ target_field: threat.indicator.confidence
+ ignore_missing: true
+
+ #
+ # Convert asn field.
+ #
+ - convert:
+ field: json.asn
+ target_field: threat.indicator.as.number
+ type: long
+ ignore_missing: true
+ on_failure:
+ - append:
+ field: error.message
+ value: "Cannot convert asn field `{{{ json.asn }}}` to long: {{{ _ingest.on_failure_message }}}"
+
+ - rename:
+ field: json.org
+ target_field: threat.indicator.as.organization.name
+ ignore_missing: true
+
+ - rename:
+ field: json.email
+ target_field: threat.indicator.email.address
+ ignore_missing: true
+
+ - rename:
+ field: json.srcip
+ target_field: threat.indicator.ip
+ ignore_missing: true
+
+ - uri_parts:
+ field: json.url
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ if: "ctx.json?.url != null"
+ on_failure:
+ - append:
+ field: error.message
+ value: "Cannot parse url field `{{{ json.url }}}`: {{{ _ingest.on_failure_message }}}"
+ - set:
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
+ ignore_empty_value: true
+ - rename:
+ field: json.domain
+ target_field: threat.indicator.url.domain
+ ignore_missing: true
+ if: ctx.threat?.indicator?.url?.domain == null
+ - rename:
+ field: json.country
+ target_field: threat.indicator.geo.country_iso_code
+ ignore_missing: true
+
+ #
+ # md5 field can actually contain different kinds of hash.
+ # Map to file.hash.* depending on hash length.
+ #
+ - rename:
+ field: json.md5
+ target_field: threat.indicator.file.hash.md5
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 32"
+
+ - rename:
+ field: json.md5
+ target_field: threat.indicator.file.hash.sha1
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 40"
+
+ - rename:
+ field: json.md5
+ target_field: threat.indicator.file.hash.sha256
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 64"
+
+ - rename:
+ field: json.md5
+ target_field: threat.indicator.file.hash.sha512
+ if: "ctx.json?.md5 != null && ctx.json.md5.length() == 128"
+
+ - rename:
+ field: json.source
+ target_field: threat.indicator.provider
+ ignore_missing: true
+
+ #
+ # Map field severity to event severity as follows:
+ # low => 3
+ # medium => 5
+ # high => 7
+ # very-high => 9
+ #
+ - set:
+ field: event.severity
+ value: 3
+ if: 'ctx.json?.severity == "low"'
+
+ - set:
+ field: event.severity
+ value: 5
+ if: 'ctx.json?.severity == "medium"'
+
+ - set:
+ field: event.severity
+ value: 7
+ if: 'ctx.json?.severity == "high"'
+
+ - set:
+ field: event.severity
+ value: 9
+ if: 'ctx.json?.severity == "very-high"'
+
+ #
+ # Field trusted_circles_ids is a comma-separated string
+ # that can contain leading and trailing separators (i.e. ",123,").
+ # Need a script processor as split processor doesn't support
+ # removing non-trailing separators.
+ #
+ - script:
+ lang: painless
+ if: "ctx.json?.trusted_circle_ids != null && ctx.json?.trusted_circle_ids instanceof String"
+ description: >
+ Convert trusted_circles_ids from CSV to an array.
+ source: >
+ def lst = Stream.of(ctx.json.trusted_circle_ids.splitOnToken(',')).filter(s -> !s.isEmpty()).collect(Collectors.toList());
+ if (lst.size() > 0) {
+ ctx.json.trusted_circle_ids = lst;
+ } else {
+ ctx.json.remove('trusted_circle_ids');
+ }
+ #
+ # Split detail field and append each component to ECS tags field.
+ #
+ - split:
+ field: json.detail
+ separator: '(?
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/base-fields.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/base-fields.yml
new file mode 100755
index 0000000000..378e9e1a15
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_anomali
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_anomali.threatstream
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: Anomali ThreatStream
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/beats.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/ecs.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/ecs.yml
new file mode 100755
index 0000000000..a2ee1797df
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/ecs.yml
@@ -0,0 +1,191 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: SHA512 hash.
+ name: threat.indicator.file.hash.sha512
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: |-
+ Traffic Light Protocol sharing markings.
+ Recommended values are:
+ * WHITE
+ * GREEN
+ * AMBER
+ * RED
+ name: threat.indicator.marking.tlp
+ type: keyword
+- description: |-
+ Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+ Expected values are:
+ * Not Specified
+ * None
+ * Low
+ * Medium
+ * High
+ name: threat.indicator.confidence
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: threat.indicator.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.as.organization.name
+ type: keyword
+- description: Longitude and latitude.
+ name: threat.indicator.geo.location.lat
+ type: geo_point
+- description: Longitude and latitude.
+ name: threat.indicator.geo.location.lon
+ type: geo_point
+- description: Country ISO code.
+ name: threat.indicator.geo.country_iso_code
+ type: keyword
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/fields.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/fields.yml
new file mode 100755
index 0000000000..5d8e4e57d9
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/fields/fields.yml
@@ -0,0 +1,94 @@
+- name: anomali.threatstream
+ type: group
+ description: >
+ Fields for Anomali Threatstream
+
+ fields:
+ - name: classification
+ type: keyword
+ description: >
+ Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.
+
+ example: private
+ - name: confidence
+ type: short
+ description: >
+ The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators.
+
+ - name: detail2
+ type: text
+ description: >
+ Detail text for indicator.
+
+ example: Imported by user 42.
+ - name: id
+ type: keyword
+ description: >
+ The ID of the indicator.
+
+ - name: import_session_id
+ type: keyword
+ description: >
+ ID of the import session that created the indicator on ThreatStream.
+
+ - name: itype
+ type: keyword
+ description: >
+ Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".
+
+ - name: maltype
+ type: wildcard
+ description: >
+ Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
+
+ - name: md5
+ type: keyword
+ description: >
+ Hash for the indicator.
+
+ - name: resource_uri
+ type: keyword
+ description: >
+ Relative URI for the indicator details.
+
+ - name: severity
+ type: keyword
+ description: >
+ Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.
+
+ - name: source
+ type: keyword
+ description: >
+ Source for the indicator.
+
+ example: Analyst
+ - name: source_feed_id
+ type: keyword
+ description: >
+ ID for the integrator source.
+
+ - name: state
+ type: keyword
+ description: >
+ State for this indicator.
+
+ example: active
+ - name: trusted_circle_ids
+ type: keyword
+ description: >
+ ID of the trusted circle that imported the indicator.
+
+ - name: update_id
+ type: keyword
+ description: >
+ Update ID.
+
+ - name: url
+ type: keyword
+ description: >
+ URL for the indicator.
+
+ - name: value_type
+ type: keyword
+ description: >-
+ Data type of the indicator. Possible values: ip, domain, url, email, md5.
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/manifest.yml b/packages/ti_anomali/1.2.3/data_stream/threatstream/manifest.yml
new file mode 100755
index 0000000000..7bffc33668
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/manifest.yml
@@ -0,0 +1,83 @@
+type: logs
+title: Anomali Threatstream
+streams:
+ - input: http_endpoint
+ vars:
+ - name: listen_address
+ type: text
+ title: Listen Address
+ description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: listen_port
+ type: integer
+ title: Listen Port
+ multi: false
+ required: true
+ show_user: true
+ default: 8181
+ - name: url
+ type: text
+ title: Webhook path
+ description: URL path where the webhook will accept requests.
+ multi: false
+ required: true
+ show_user: false
+ default: /threatstream
+ - name: content_type
+ type: text
+ title: Webhook path
+ description: URL path where the webhook will accept requests.
+ multi: false
+ required: true
+ show_user: false
+ default: application/x-ndjson
+ - name: secret
+ type: text
+ title: HMAC secret key
+ description: Secret key to authenticate requests from the SDK.
+ multi: false
+ required: false
+ show_user: true
+ - name: ssl
+ type: yaml
+ title: TLS
+ description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ enabled: false
+ certificate: "/etc/pki/client/cert.pem"
+ key: "/etc/pki/client/cert.key"
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - anomali-threatstream
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: http_endpoint.yml.hbs
+ title: Anomali Threatstream
+ description: Receives indicators from Anomali Threatstream
diff --git a/packages/ti_anomali/1.2.3/data_stream/threatstream/sample_event.json b/packages/ti_anomali/1.2.3/data_stream/threatstream/sample_event.json
new file mode 100755
index 0000000000..3dd5e6c580
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/data_stream/threatstream/sample_event.json
@@ -0,0 +1,77 @@
+{
+ "@timestamp": "2022-04-11T08:52:31.294Z",
+ "agent": {
+ "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0",
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "anomali": {
+ "threatstream": {
+ "classification": "public",
+ "confidence": 56,
+ "detail2": "imported by user 723",
+ "id": "1785659799",
+ "import_session_id": "244",
+ "itype": "mal_md5",
+ "md5": "6466e2",
+ "resource_uri": "/api/v1/intelligence/P44706407813/",
+ "severity": "very-high",
+ "source_feed_id": "3759",
+ "state": "active",
+ "trusted_circle_ids": [
+ "439",
+ "942",
+ "801"
+ ],
+ "update_id": "3898969521",
+ "value_type": "md5"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_anomali.threatstream",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "dataset": "ti_anomali.threatstream",
+ "ingested": "2022-04-11T08:52:32Z",
+ "kind": "enrichment",
+ "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}",
+ "severity": 9,
+ "type": "indicator"
+ },
+ "input": {
+ "type": "http_endpoint"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "anomali-threatstream"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "Med",
+ "first_seen": "2020-10-08T12:22:16.000Z",
+ "last_seen": "2020-10-08T12:24:42.000Z",
+ "marking": {
+ "tlp": [
+ "White"
+ ]
+ },
+ "provider": "Default Organization",
+ "type": "file"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/docs/README.md b/packages/ti_anomali/1.2.3/docs/README.md
new file mode 100755
index 0000000000..1ecaf4bb7d
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/docs/README.md
@@ -0,0 +1,369 @@
+# Anomali Integration
+
+The Anomali integration supports the following datasets.
+
+- `limo` dataset: Support for Anomali Limo, a freely available Threat Intelligence service
+- `threatstream` dataset: Support for Anomali ThreatStream, a commercial Threat Intelligence service.
+
+## Logs
+
+### Anomali Limo
+
+Anomali Limo offers multiple sources called collections. Each collection has a specific ID, which
+then fits into the url used in this configuration. A list of different
+collections can be found using the default guest/guest credentials at https://limo.anomali.com/api/v1/taxii2/feeds/collections/[Limo Collections].
+
+An example if you want to use the feed with ID 42, the URL to configure would end up like this:
+`https://limo.anomali.com/api/v1/taxii2/feeds/collections/41/objects`
+
+An example event for `limo` looks as following:
+
+```json
+{
+ "@timestamp": "2017-01-20T00:00:00.000Z",
+ "agent": {
+ "ephemeral_id": "29217578-e780-4c3e-912d-0f35ce981fb4",
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "anomali": {
+ "limo": {
+ "definition": {
+ "tlp": "green"
+ },
+ "definition_type": "tlp",
+ "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
+ "type": "marking-definition"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_anomali.limo",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:51:02.140Z",
+ "dataset": "ti_anomali.limo",
+ "ingested": "2022-04-11T08:51:03Z",
+ "kind": "enrichment",
+ "original": "{\"created\":\"2017-01-20T00:00:00.000Z\",\"definition\":{\"tlp\":\"green\"},\"definition_type\":\"tlp\",\"id\":\"marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da\",\"type\":\"marking-definition\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "anomali-limo"
+ ],
+ "threat": {
+ "indicator": {
+ "type": "unknown"
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| anomali.limo.content | Extra text or descriptive content related to the indicator. | keyword |
+| anomali.limo.definition.tlp | Indicator tlp/definition value | keyword |
+| anomali.limo.definition_type | Indicator tlp/definition type | keyword |
+| anomali.limo.description | A description of the indicator. | keyword |
+| anomali.limo.id | The ID of the indicator. | keyword |
+| anomali.limo.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword |
+| anomali.limo.labels | The labels related to the indicator | keyword |
+| anomali.limo.modified | When the indicator was last modified | date |
+| anomali.limo.name | The name of the indicator. | keyword |
+| anomali.limo.object_marking_refs | The STIX reference object. | keyword |
+| anomali.limo.pattern | The pattern ID of the indicator. | keyword |
+| anomali.limo.title | Title describing the indicator. | keyword |
+| anomali.limo.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword |
+| anomali.limo.valid_from | When the indicator was first found or is considered valid. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+
+
+### Anomali Threatstream
+
+To configure the ThreatStream integration you first need to define an output
+in the Anomali ThreatStream Integrator using the Elastic SDK provided by Anomali.
+It will deliver indicators via HTTP or HTTPS to a elastic-agent instance running this integration.
+
+Configure an Integrator output with the following settings:
+
+* Indicator Filter: `*` (or use any desired filter).
+* SDK Executable Command: `/path/to/python /path/to/anomali-sdk/main.py`.
+ Adjust the paths to the python executable and the directory where the Elastic SDK
+ has been unpacked.
+* Metadata in JSON Format: `{"url": "https://elastic-agent:8080/", "server_certificate": "/path/to/cert.pem", "secret": "my secret"}`.
+ - `url`: Use the host and port where the integration will be running, and `http` or `https` accordingly.
+ - `server_certificate`: If using HTTPS, absolute path to the server certificate. Otherwise don't set
+ this field.
+ - `secret`: A shared secret string to authenticate messages between the SDK and the integration.
+
+
+An example event for `threatstream` looks as following:
+
+```json
+{
+ "@timestamp": "2022-04-11T08:52:31.294Z",
+ "agent": {
+ "ephemeral_id": "b49fcac4-6f07-4c25-8505-3306c6f56ca0",
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "anomali": {
+ "threatstream": {
+ "classification": "public",
+ "confidence": 56,
+ "detail2": "imported by user 723",
+ "id": "1785659799",
+ "import_session_id": "244",
+ "itype": "mal_md5",
+ "md5": "6466e2",
+ "resource_uri": "/api/v1/intelligence/P44706407813/",
+ "severity": "very-high",
+ "source_feed_id": "3759",
+ "state": "active",
+ "trusted_circle_ids": [
+ "439",
+ "942",
+ "801"
+ ],
+ "update_id": "3898969521",
+ "value_type": "md5"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_anomali.threatstream",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "6b916c32-9ec1-4b93-a910-81540b3df79b",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "dataset": "ti_anomali.threatstream",
+ "ingested": "2022-04-11T08:52:32Z",
+ "kind": "enrichment",
+ "original": "{\"classification\":\"public\",\"confidence\":56,\"date_first\":\"2020-10-08T12:22:16\",\"date_last\":\"2020-10-08T12:24:42\",\"detail2\":\"imported by user 723\",\"id\":1785659799,\"import_session_id\":244,\"itype\":\"mal_md5\",\"md5\":\"6466e2\",\"resource_uri\":\"/api/v1/intelligence/P44706407813/\",\"severity\":\"very-high\",\"source\":\"Default Organization\",\"source_feed_id\":3759,\"state\":\"active\",\"trusted_circle_ids\":\"439,942,801\",\"update_id\":3898969521,\"value_type\":\"md5\"}",
+ "severity": 9,
+ "type": "indicator"
+ },
+ "input": {
+ "type": "http_endpoint"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "anomali-threatstream"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "Med",
+ "first_seen": "2020-10-08T12:22:16.000Z",
+ "last_seen": "2020-10-08T12:24:42.000Z",
+ "marking": {
+ "tlp": [
+ "White"
+ ]
+ },
+ "provider": "Default Organization",
+ "type": "file"
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| anomali.threatstream.classification | Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. | keyword |
+| anomali.threatstream.confidence | The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. | short |
+| anomali.threatstream.detail2 | Detail text for indicator. | text |
+| anomali.threatstream.id | The ID of the indicator. | keyword |
+| anomali.threatstream.import_session_id | ID of the import session that created the indicator on ThreatStream. | keyword |
+| anomali.threatstream.itype | Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". | keyword |
+| anomali.threatstream.maltype | Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. | wildcard |
+| anomali.threatstream.md5 | Hash for the indicator. | keyword |
+| anomali.threatstream.resource_uri | Relative URI for the indicator details. | keyword |
+| anomali.threatstream.severity | Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. | keyword |
+| anomali.threatstream.source | Source for the indicator. | keyword |
+| anomali.threatstream.source_feed_id | ID for the integrator source. | keyword |
+| anomali.threatstream.state | State for this indicator. | keyword |
+| anomali.threatstream.trusted_circle_ids | ID of the trusted circle that imported the indicator. | keyword |
+| anomali.threatstream.update_id | Update ID. | keyword |
+| anomali.threatstream.url | URL for the indicator. | keyword |
+| anomali.threatstream.value_type | Data type of the indicator. Possible values: ip, domain, url, email, md5. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| threat.indicator.as.organization.name | Organization name. | keyword |
+| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text |
+| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.geo.country_iso_code | Country ISO code. | keyword |
+| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point |
+| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
diff --git a/packages/ti_anomali/1.2.3/img/anomali.svg b/packages/ti_anomali/1.2.3/img/anomali.svg
new file mode 100755
index 0000000000..e9cade7e61
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/img/anomali.svg
@@ -0,0 +1,4950 @@
+
+
+
+
+
+
+
+
+
+
+]>
+
diff --git a/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json
new file mode 100755
index 0000000000..fe1d2df1a2
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020.json
@@ -0,0 +1,122 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the Anomali integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n**[Anomali Files (This Page)](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020)** \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **file** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":33,\"i\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"1bd7687a-adf0-44f3-8901-c6b12861d90d\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"87bddc0a-425f-4285-8f79-be027a93a959\":{\"columnOrder\":[\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\"],\"columns\":{\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"08e77c71-b1f6-4148-bf4a-bdd39f116a3e\",\"layerId\":\"87bddc0a-425f-4285-8f79-be027a93a959\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"6d74f2e2-daf7-4179-9f87-0543253de626\",\"title\":\"Active Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\":{\"columnOrder\":[\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\"],\"columns\":{\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\"\"},\"isBucketed\":false,\"label\":\"Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"11748ed5-b26f-46e2-ab60-02d08d54c0eb\",\"layerId\":\"f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e20ccd15-7449-492d-be61-a474d10cfabb\",\"title\":\"Inactive Files [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\":{\"columnOrder\":[\"35782be6-2bf2-4270-a8d7-4398103dac80\"],\"columns\":{\"35782be6-2bf2-4270-a8d7-4398103dac80\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"35782be6-2bf2-4270-a8d7-4398103dac80\",\"layerId\":\"b287f02e-afeb-44ac-86c3-d1e3146c9f20\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"w\":7,\"x\":19,\"y\":0},\"panelIndex\":\"bc2edce5-01f9-4e47-9b52-1a1dad6958c0\",\"title\":\"Unique SHA256 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\":{\"columnOrder\":[\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\"],\"columns\":{\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA512\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha512\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eae8b738-1d51-4fb9-b04f-b0cd4e35f47d\",\"layerId\":\"fcf982ec-ba1f-473d-b92a-691b1cdadf7b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"w\":7,\"x\":26,\"y\":0},\"panelIndex\":\"07ba9d35-2423-4793-9eed-997e86d1d1ac\",\"title\":\"Unique SHA512 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e11a6974-ae88-479e-9fca-8615b7f454da\":{\"columnOrder\":[\"3475c1c7-964f-44a2-a554-d7ff067446e9\"],\"columns\":{\"3475c1c7-964f-44a2-a554-d7ff067446e9\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"3475c1c7-964f-44a2-a554-d7ff067446e9\",\"layerId\":\"e11a6974-ae88-479e-9fca-8615b7f454da\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"w\":7,\"x\":33,\"y\":0},\"panelIndex\":\"c3e37351-081e-4e18-b134-2e51bae9b53a\",\"title\":\"Unique MD5 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"be91741d-d94d-404f-9549-a0b96c92d2d0\":{\"columnOrder\":[\"074c9303-a56e-4db0-bddb-461819a9504c\"],\"columns\":{\"074c9303-a56e-4db0-bddb-461819a9504c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"074c9303-a56e-4db0-bddb-461819a9504c\",\"layerId\":\"be91741d-d94d-404f-9549-a0b96c92d2d0\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"w\":7,\"x\":40,\"y\":0},\"panelIndex\":\"848432ac-28c9-4b18-b504-ac2cdbaa20c9\",\"title\":\"Unique SHA1 [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"08036a92-d500-4966-98ca-feff7f9ecb36\":{\"columnOrder\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\",\"67920793-58db-49b6-aca9-273945fffbce\"],\"columns\":{\"67920793-58db-49b6-aca9-273945fffbce\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"99f24050-c517-46ff-85b1-f3ceea4c9e15\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.confidence\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"67920793-58db-49b6-aca9-273945fffbce\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.confidence\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"99f24050-c517-46ff-85b1-f3ceea4c9e15\"],\"layerId\":\"08036a92-d500-4966-98ca-feff7f9ecb36\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"67920793-58db-49b6-aca9-273945fffbce\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"w\":16,\"x\":7,\"y\":8},\"panelIndex\":\"664c2738-9f69-401c-af55-42f50aabb9c5\",\"title\":\"Confidence Levels [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"014a03d0-3a35-4aad-bd2d-d8380365070b\":{\"columnOrder\":[\"5e92fb09-af89-494a-b0a1-736b4cebc269\",\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"columns\":{\"5731c84c-3f1e-410a-8638-212b04df7d78\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Last Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.last_seen\"},\"5e92fb09-af89-494a-b0a1-736b4cebc269\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}},\"0e4aff17-8462-40ed-a84b-8de853628b96\":{\"columnOrder\":[\"4ff561b6-7ec6-433e-8023-572ef88eab9d\",\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"columns\":{\"2d0d9d07-5f5d-42a0-97ba-03899f504862\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"First Seen\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.first_seen\"},\"4ff561b6-7ec6-433e-8023-572ef88eab9d\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"2d0d9d07-5f5d-42a0-97ba-03899f504862\"],\"layerId\":\"0e4aff17-8462-40ed-a84b-8de853628b96\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"xAccessor\":\"4ff561b6-7ec6-433e-8023-572ef88eab9d\"},{\"accessors\":[\"5731c84c-3f1e-410a-8638-212b04df7d78\"],\"layerId\":\"014a03d0-3a35-4aad-bd2d-d8380365070b\",\"layerType\":\"data\",\"seriesType\":\"line\",\"xAccessor\":\"5e92fb09-af89-494a-b0a1-736b4cebc269\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":25,\"i\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"w\":24,\"x\":23,\"y\":8},\"panelIndex\":\"c9a937ea-517a-40b0-aba5-75d2611ae760\",\"title\":\"Indicators First and Last Seen [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Anomali] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d74f2e2-daf7-4179-9f87-0543253de626:indexpattern-datasource-layer-87bddc0a-425f-4285-8f79-be027a93a959",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e20ccd15-7449-492d-be61-a474d10cfabb:indexpattern-datasource-layer-f5a3f98d-a2a1-4ec9-9c53-b77548cd50ae",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bc2edce5-01f9-4e47-9b52-1a1dad6958c0:indexpattern-datasource-layer-b287f02e-afeb-44ac-86c3-d1e3146c9f20",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "07ba9d35-2423-4793-9eed-997e86d1d1ac:indexpattern-datasource-layer-fcf982ec-ba1f-473d-b92a-691b1cdadf7b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c3e37351-081e-4e18-b134-2e51bae9b53a:indexpattern-datasource-layer-e11a6974-ae88-479e-9fca-8615b7f454da",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "848432ac-28c9-4b18-b504-ac2cdbaa20c9:indexpattern-datasource-layer-be91741d-d94d-404f-9549-a0b96c92d2d0",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "664c2738-9f69-401c-af55-42f50aabb9c5:indexpattern-datasource-layer-08036a92-d500-4966-98ca-feff7f9ecb36",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-0e4aff17-8462-40ed-a84b-8de853628b96",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9a937ea-517a-40b0-aba5-75d2611ae760:indexpattern-datasource-layer-014a03d0-3a35-4aad-bd2d-d8380365070b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json
new file mode 100755
index 0000000000..b16bc08354
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the Anomali integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n**[Anomali URLs (This Page)](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020)** \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about indicators of type **URL** ingested from the Anomali integration, showing statistics and general information about all relevant indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":37,\"i\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"b7e43e7b-9f77-4c99-a68c-a2e0588a1746\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c5d7e866-9673-4d61-8420-73f253f3708b\":{\"columnOrder\":[\"e4aa603a-7867-4b27-b806-99152d2fef81\"],\"columns\":{\"e4aa603a-7867-4b27-b806-99152d2fef81\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4aa603a-7867-4b27-b806-99152d2fef81\",\"layerId\":\"c5d7e866-9673-4d61-8420-73f253f3708b\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"88ee89f5-502e-44aa-93ef-fc1af8684fe0\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"cc619527-1f00-4919-a5a3-512d90ac0452\":{\"columnOrder\":[\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\"],\"columns\":{\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Active\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fc976f3c-3e2c-4ac7-aed6-99b26b995153\",\"layerId\":\"cc619527-1f00-4919-a5a3-512d90ac0452\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e928abaa-186a-4917-bc20-a749527acb18\",\"title\":\"URLs Active [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a37deb72-83d2-485b-8b8c-a3351feba020\":{\"columnOrder\":[\"02535cee-7d24-463b-963b-90c38a8269d8\"],\"columns\":{\"02535cee-7d24-463b-963b-90c38a8269d8\":{\"customLabel\":true,\"dataType\":\"number\",\"filter\":{\"language\":\"kuery\",\"query\":\"anomali.threatstream.state: * and not anomali.threatstream.state: \\\"active\\\" \"},\"isBucketed\":false,\"label\":\"URL's Inactive\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"02535cee-7d24-463b-963b-90c38a8269d8\",\"layerId\":\"a37deb72-83d2-485b-8b8c-a3351feba020\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"a8d31131-9e82-46c9-99e4-c9f9c050ee9c\",\"title\":\"URLs Inactive [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\":{\"columnOrder\":[\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\"],\"columns\":{\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Providers\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"afa8759e-3b03-4c1a-9411-b4c4fe3fb423\",\"layerId\":\"66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"w\":6,\"x\":25,\"y\":0},\"panelIndex\":\"49b4bbf6-4445-495e-aa36-35ff50877eae\",\"title\":\"Provider Count [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f119e9a6-4546-4496-8a01-4476e87cf3bc\":{\"columnOrder\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\",\"066e1f1c-655e-495e-8cf2-37bf61f81fba\"],\"columns\":{\"066e1f1c-655e-495e-8cf2-37bf61f81fba\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"eb218bc5-0828-4ca9-90c8-05de914ecec6\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.geo.country_iso_code\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"eb218bc5-0828-4ca9-90c8-05de914ecec6\"],\"layerId\":\"f119e9a6-4546-4496-8a01-4476e87cf3bc\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"066e1f1c-655e-495e-8cf2-37bf61f81fba\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"w\":17,\"x\":31,\"y\":0},\"panelIndex\":\"ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f\",\"title\":\"Top Countries [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a3c97e09-a95d-4baa-8552-2b0c252d995c\":{\"columnOrder\":[\"cfb90886-11d3-471e-97be-01378e9d5105\",\"2486505b-3319-4955-9bd6-d035d9631f7d\"],\"columns\":{\"2486505b-3319-4955-9bd6-d035d9631f7d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"cfb90886-11d3-471e-97be-01378e9d5105\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":20},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"cfb90886-11d3-471e-97be-01378e9d5105\",\"isTransposed\":false},{\"columnId\":\"2486505b-3319-4955-9bd6-d035d9631f7d\",\"isTransposed\":false}],\"layerId\":\"a3c97e09-a95d-4baa-8552-2b0c252d995c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":29,\"i\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"w\":24,\"x\":7,\"y\":8},\"panelIndex\":\"a3f75519-9e37-4548-b60c-e340d1c5f8f7\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\":{\"columnOrder\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\",\"a527fe96-066a-448e-91c8-348993d78b91\"],\"columns\":{\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"},\"a527fe96-066a-448e-91c8-348993d78b91\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"518ee324-e4ed-4eb7-b4fb-0e964204bfc0\"],\"layerId\":\"4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"a527fe96-066a-448e-91c8-348993d78b91\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"w\":17,\"x\":31,\"y\":23},\"panelIndex\":\"92c66617-cd3f-4a06-8534-52fe3c968559\",\"title\":\"URL Schemes [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Anomali] URL",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "88ee89f5-502e-44aa-93ef-fc1af8684fe0:indexpattern-datasource-layer-c5d7e866-9673-4d61-8420-73f253f3708b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e928abaa-186a-4917-bc20-a749527acb18:indexpattern-datasource-layer-cc619527-1f00-4919-a5a3-512d90ac0452",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a8d31131-9e82-46c9-99e4-c9f9c050ee9c:indexpattern-datasource-layer-a37deb72-83d2-485b-8b8c-a3351feba020",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "49b4bbf6-4445-495e-aa36-35ff50877eae:indexpattern-datasource-layer-66fe853f-f5ce-4b8d-a8f9-74045fb8ca6e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ba4f9967-a4e1-4f85-9fea-0a383cc9ac4f:indexpattern-datasource-layer-f119e9a6-4546-4496-8a01-4476e87cf3bc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a3f75519-9e37-4548-b60c-e340d1c5f8f7:indexpattern-datasource-layer-a3c97e09-a95d-4baa-8552-2b0c252d995c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "92c66617-cd3f-4a06-8534-52fe3c968559:indexpattern-datasource-layer-4bfa54f0-5fae-41ff-a5e6-d10e2f9ed564",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json
new file mode 100755
index 0000000000..660c2e9511
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about other types of indicators from the Anomali integration like email and IP",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":true,\"params\":[\"url\",\"file\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"threat.indicator.type\":\"url\"}},{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Anomali Overview](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf) \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n**[Anomali Other Indicators (This Page)](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)**\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a overview about all other indicators except file and URL ingested from the Anomali integration, showing statistics and general information about all relevant indicators. This includes email, IP and domain type indicators.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":43,\"i\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"7c3b21d7-cfe8-41c2-89c8-bdb5a78fe47a\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"dfdae375-629d-49ad-b37a-66d77c3f38b7\":{\"columnOrder\":[\"a160b4d5-ef36-4886-844b-159030642324\"],\"columns\":{\"a160b4d5-ef36-4886-844b-159030642324\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique IP's\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a160b4d5-ef36-4886-844b-159030642324\",\"layerId\":\"dfdae375-629d-49ad-b37a-66d77c3f38b7\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"4cd050c7-caea-4c60-a581-955f0f5f9c49\",\"title\":\"Unique IPs [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ae2be882-73dd-463a-9a1d-1660c611d292\":{\"columnOrder\":[\"5773f11c-f2d6-4467-81c2-1be0325c7ace\"],\"columns\":{\"5773f11c-f2d6-4467-81c2-1be0325c7ace\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Emails\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"5773f11c-f2d6-4467-81c2-1be0325c7ace\",\"layerId\":\"ae2be882-73dd-463a-9a1d-1660c611d292\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"w\":7,\"x\":13,\"y\":0},\"panelIndex\":\"f3d04a3a-0bfa-4460-af54-08fea317756c\",\"title\":\"Unique Emails [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\":{\"columnOrder\":[\"a2682d1f-8a12-4033-8444-185f7bce5d97\"],\"columns\":{\"a2682d1f-8a12-4033-8444-185f7bce5d97\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"a2682d1f-8a12-4033-8444-185f7bce5d97\",\"layerId\":\"7e5894b7-2ce6-439b-81b7-18cd6acdc0dd\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"w\":7,\"x\":20,\"y\":0},\"panelIndex\":\"054ec96d-8e77-425c-9d79-adbfd3f7e28b\",\"title\":\"Unique Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f5c8665b-d765-481a-8006-206fa0718a58\":{\"columnOrder\":[\"2ef98406-f729-4988-b927-615a2071b945\",\"f3d622d5-c221-49b4-bf80-33543307c23d\"],\"columns\":{\"2ef98406-f729-4988-b927-615a2071b945\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.marking.tlp\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.marking.tlp\"},\"f3d622d5-c221-49b4-bf80-33543307c23d\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"TLP Tags\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"2ef98406-f729-4988-b927-615a2071b945\"],\"layerId\":\"f5c8665b-d765-481a-8006-206fa0718a58\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"f3d622d5-c221-49b4-bf80-33543307c23d\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":28,\"i\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"ef8f1c25-a119-45e8-84d1-0968bb60a9b6\",\"title\":\"TLP Categorization [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\":{\"columnOrder\":[\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\"],\"columns\":{\"b69cdc62-7d44-4073-a64b-b09d6da41622\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":15},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"},\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b69cdc62-7d44-4073-a64b-b09d6da41622\",\"isTransposed\":false},{\"columnId\":\"e7cb9c4f-3353-4580-928d-5a4797fd21d6\",\"isTransposed\":false}],\"layerId\":\"df7a4f5f-e882-4b90-adca-edf9d34f5acb\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":21,\"i\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"w\":20,\"x\":7,\"y\":7},\"panelIndex\":\"80ea5d9f-04de-4c10-a120-32318c3088c1\",\"title\":\"Most Popular Domains [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3209cf18-1f83-44fd-aff3-336fb07d35b1\":{\"columnOrder\":[\"a90ded97-4816-4a10-a653-51bad5dee996\",\"26f57b1d-7680-4439-9a32-ee0c5c441c37\"],\"columns\":{\"26f57b1d-7680-4439-9a32-ee0c5c441c37\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"a90ded97-4816-4a10-a653-51bad5dee996\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"IP Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"a90ded97-4816-4a10-a653-51bad5dee996\",\"isTransposed\":false},{\"columnId\":\"26f57b1d-7680-4439-9a32-ee0c5c441c37\",\"isTransposed\":false}],\"layerId\":\"3209cf18-1f83-44fd-aff3-336fb07d35b1\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"w\":20,\"x\":7,\"y\":28},\"panelIndex\":\"d6840366-ab4f-4029-8e25-c887353b566f\",\"title\":\"Most Popular IPs [Logs Anomali\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"75accf45-7e81-45d7-b901-f488f7634041\":{\"columnOrder\":[\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"abff64f2-5712-4582-aaf8-79f1b9d9d421\"],\"columns\":{\"abff64f2-5712-4582-aaf8-79f1b9d9d421\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Email Addresses\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.email.address\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"bfb109eb-e0f5-4fda-b3eb-5cc691ecce18\",\"isTransposed\":false},{\"columnId\":\"abff64f2-5712-4582-aaf8-79f1b9d9d421\",\"isTransposed\":false}],\"layerId\":\"75accf45-7e81-45d7-b901-f488f7634041\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"w\":21,\"x\":27,\"y\":28},\"panelIndex\":\"6811183d-2ca1-4f18-8dc7-225ff757f9bf\",\"title\":\"Unique Email Addresses [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Anomali] Other Indicators",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4cd050c7-caea-4c60-a581-955f0f5f9c49:indexpattern-datasource-layer-dfdae375-629d-49ad-b37a-66d77c3f38b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f3d04a3a-0bfa-4460-af54-08fea317756c:indexpattern-datasource-layer-ae2be882-73dd-463a-9a1d-1660c611d292",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "054ec96d-8e77-425c-9d79-adbfd3f7e28b:indexpattern-datasource-layer-7e5894b7-2ce6-439b-81b7-18cd6acdc0dd",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ef8f1c25-a119-45e8-84d1-0968bb60a9b6:indexpattern-datasource-layer-f5c8665b-d765-481a-8006-206fa0718a58",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "80ea5d9f-04de-4c10-a120-32318c3088c1:indexpattern-datasource-layer-df7a4f5f-e882-4b90-adca-edf9d34f5acb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d6840366-ab4f-4029-8e25-c887353b566f:indexpattern-datasource-layer-3209cf18-1f83-44fd-aff3-336fb07d35b1",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6811183d-2ca1-4f18-8dc7-225ff757f9bf:indexpattern-datasource-layer-75accf45-7e81-45d7-b901-f488f7634041",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json
new file mode 100755
index 0000000000..71442c0ccd
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/dashboard/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf.json
@@ -0,0 +1,102 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the Anomali integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":[\"ti_anomali.limo\",\"ti_anomali.threatstream\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.limo\"}},{\"match_phrase\":{\"data_stream.dataset\":\"ti_anomali.threatstream\"}}]}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[Anomali Overview (This Page)](/app/dashboards#/view/ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf)** \\n[Anomali Files](/app/dashboards#/view/ti_anomali-207f3c40-45fb-11ec-ab0c-d7f52dcaa020) \\n[Anomali URLs](/app/dashboards#/view/ti_anomali-39699a60-45fc-11ec-ab0c-d7f52dcaa020) \\n[Anomali Other Indicators](/app/dashboards#/view/ti_anomali-78e08d20-45fc-11ec-ab0c-d7f52dcaa020)\\n\\n[Integrations Page](/app/integrations/detail/ti_anomali/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Anomali integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Anomali. \\n\\nIt shows how many parts has been enabled (Limo and ThreatStream), the ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from Anomali.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":38,\"i\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"12dc83c2-c8cf-4583-88b5-48761c63a1f7\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1636972155400\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1636972320770\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1636972345166\",\"indexPatternRefName\":\"control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":true},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"d0d28809-695c-4190-9b91-b62c60dff1fe\",\"title\":\"Feed and Indicator Selector [Logs Anomali]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c28e58ec-5377-460f-9d19-81c5b0655d84\":{\"columnOrder\":[\"747a0b3c-a82b-4c1f-823e-3337619e6117\"],\"columns\":{\"747a0b3c-a82b-4c1f-823e-3337619e6117\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"747a0b3c-a82b-4c1f-823e-3337619e6117\",\"layerId\":\"c28e58ec-5377-460f-9d19-81c5b0655d84\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"444bedab-0363-4e0c-81e3-d8e370ae3aec\",\"title\":\"Total Datastreams [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"78c9288e-227b-4cff-979b-d89a75ece8e7\":{\"columnOrder\":[\"ec9f1c6f-2142-4695-af89-30d613260474\",\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"columns\":{\"a8876e88-a694-49b6-8117-6a949ecc994a\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"ec9f1c6f-2142-4695-af89-30d613260474\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a8876e88-a694-49b6-8117-6a949ecc994a\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"a8876e88-a694-49b6-8117-6a949ecc994a\"],\"layerId\":\"78c9288e-227b-4cff-979b-d89a75ece8e7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"ec9f1c6f-2142-4695-af89-30d613260474\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"5809310f-2beb-446c-8b5d-c84f44c041b3\",\"title\":\"Total Indicators per Provider [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7fdc4f94-7863-4914-b99d-982d353a54ba\":{\"columnOrder\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\",\"0116942e-4077-43f5-9dc8-297c469d18d3\"],\"columns\":{\"0116942e-4077-43f5-9dc8-297c469d18d3\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"da5b8cdd-28c7-47ac-a991-4b995d7a62ec\"],\"layerId\":\"7fdc4f94-7863-4914-b99d-982d353a54ba\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"0116942e-4077-43f5-9dc8-297c469d18d3\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"2c98de99-50a0-4a21-86f5-005f80dab887\",\"title\":\"Total Indicators per Datastream [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a531c764-6567-4a71-8bf7-c30e0f146526\":{\"columnOrder\":[\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\"],\"columns\":{\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"85c9e822-60d0-4aa5-b811-79b0c58aa6b6\",\"layerId\":\"a531c764-6567-4a71-8bf7-c30e0f146526\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89\",\"title\":\"Total Indicators [Logs Anomali]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8304fb06-3af2-4279-9b88-b3f18324c042\":{\"columnOrder\":[\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"b9f443d8-7811-4d09-9339-135a3a850ca3\",\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"columns\":{\"645fb806-bad6-4c07-b65c-1e5eb559cc06\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b9f443d8-7811-4d09-9339-135a3a850ca3\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"eab09cd9-8af1-43a9-bed1-7c88ea536fe1\"],\"layerId\":\"8304fb06-3af2-4279-9b88-b3f18324c042\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"645fb806-bad6-4c07-b65c-1e5eb559cc06\",\"xAccessor\":\"b9f443d8-7811-4d09-9339-135a3a850ca3\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"line\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aea6ddeb-b045-4372-bfe4-5eb52cd394db\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Anomali] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-96fe1e60-4261-11ec-b7be-d3026acdf1cf",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d0d28809-695c-4190-9b91-b62c60dff1fe:control_d0d28809-695c-4190-9b91-b62c60dff1fe_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "444bedab-0363-4e0c-81e3-d8e370ae3aec:indexpattern-datasource-layer-c28e58ec-5377-460f-9d19-81c5b0655d84",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5809310f-2beb-446c-8b5d-c84f44c041b3:indexpattern-datasource-layer-78c9288e-227b-4cff-979b-d89a75ece8e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "2c98de99-50a0-4a21-86f5-005f80dab887:indexpattern-datasource-layer-7fdc4f94-7863-4914-b99d-982d353a54ba",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4bf9c1a3-dd8e-4640-9a8e-8641d62a4c89:indexpattern-datasource-layer-a531c764-6567-4a71-8bf7-c30e0f146526",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aea6ddeb-b045-4372-bfe4-5eb52cd394db:indexpattern-datasource-layer-8304fb06-3af2-4279-9b88-b3f18324c042",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "name": "tag-ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json b/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json
new file mode 100755
index 0000000000..89444d8b1a
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "Anomali"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-94419670-4261-11ec-b7be-d3026acdf1cf",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json b/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json
new file mode 100755
index 0000000000..ef4b8a7fd0
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/kibana/tag/ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "Threat Intelligence"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_anomali-ti_abusech-320c5c80-3b0c-11ec-ae50-2fdf1e96c6a6",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_anomali/1.2.3/manifest.yml b/packages/ti_anomali/1.2.3/manifest.yml
new file mode 100755
index 0000000000..8c637677b8
--- /dev/null
+++ b/packages/ti_anomali/1.2.3/manifest.yml
@@ -0,0 +1,29 @@
+name: ti_anomali
+title: Anomali
+version: 1.2.3
+release: ga
+description: Collect threat intelligence from Anomali APIs with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/anomali.svg
+ title: Anomali
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: ti_anomali
+ title: Anomali
+ description: Collect threat intelligence from the Anomali Limo API and Anomali Threatstream.
+ inputs:
+ - type: httpjson
+ title: "Collect threat intelligence from the Anomali Limo API."
+ description: "Collect threat intelligence from the Anomali Limo API."
+ - type: http_endpoint
+ title: "Collect incoming threat intelligence from Anomali Threatstream."
+ description: "Collect incoming threat intelligence from Anomali Threatstream."
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_cybersixgill/1.3.2/changelog.yml b/packages/ti_cybersixgill/1.3.2/changelog.yml
new file mode 100755
index 0000000000..29eda752ee
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/changelog.yml
@@ -0,0 +1,31 @@
+# newer versions go on top
+- version: "1.3.2"
+ changes:
+ - description: Adding field mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.3.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.3.0"
+ changes:
+ - description: Moving integration to use the TAXII service rather than python scripts
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2771
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2447
+- version: "1.1.0"
+ changes:
+ - description: Adds dashboards, new logo and new threat ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2332
+- version: "1.0.0"
+ changes:
+ - description: initial implementation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1762
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_cybersixgill/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..b1c69c9385
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,62 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+request.transforms:
+ - set:
+ target: header.Content-Type
+ value: application/taxii+json;version=2.1
+ - set:
+ target: header.Accept
+ value: application/taxii+json;version=2.1
+ - set:
+ target: url.params.match[type]
+ value: indicator
+ - set:
+ target: url.params.added_after
+ value: '[[.cursor.timestamp]]'
+ default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05.000Z" ]]'
+
+response.pagination:
+ - set:
+ target: url.params.added_after
+ value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]'
+ fail_on_template_error: true
+
+response.split:
+ target: body.objects
+
+cursor:
+ timestamp:
+ value: '[[ .last_response.header.Get "X-TAXII-Date-Added-Last" ]]'
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..835ddd259b
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,269 @@
+---
+description: Initial pipeline for parsing Cybersixgill webhooks
+processors:
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: cybersixgill
+ - remove:
+ field:
+ - cybersixgill.extensions
+ ignore_missing: true
+ - drop:
+ if: ctx?.cybersixgill?.type != "indicator"
+ - fingerprint:
+ fields:
+ - cybersixgill.id
+ target_field: "_id"
+ ignore_missing: true
+ #####################
+ # Threat ECS Fields #
+ #####################
+ ## File indicator operations
+ - date:
+ field: cybersixgill.created
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.cybersixgill?.created != null"
+ - date:
+ field: cybersixgill.modified
+ target_field: threat.indicator.last_seen
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.cybersixgill?.modified != null"
+ - date:
+ field: cybersixgill.valid_from
+ target_field: threat.indicator.first_seen
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ssz"
+ - "yyyy-MM-dd'T'HH:mm:ssZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.Sz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSZ"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSz"
+ - "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
+ if: "ctx.cybersixgill?.valid_from != null"
+ - grok:
+ field: cybersixgill.pattern
+ patterns:
+ - "^\\[%{MD5}\\]"
+ - "^\\[%{MD5} OR %{SHA1}\\]"
+ - "^\\[%{MD5} OR %{SHA1} OR %{SHA256}\\]"
+ - "^\\[%{SHA1}\\]"
+ - "^\\[%{SHA1} OR %{SHA256}\\]"
+ - "^\\[%{SHA256}\\]"
+ - "^\\[%{DATA:threat.indicator.type}:value%{SPACE}=%{SPACE}'%{DATA:_temp_.threatvalue}'\\]"
+ pattern_definitions:
+ MD5: "%{DATA:threat.indicator.type}:hashes.MD5%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.md5}'"
+ SHA1: "%{DATA:threat.indicator.type}:hashes.'SHA-1'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha1}'"
+ SHA256: "%{DATA:threat.indicator.type}:hashes.'SHA-256'%{SPACE}=%{SPACE}'%{WORD:threat.indicator.file.hash.sha256}'"
+ if: ctx.cybersixgill?.pattern != null
+ - rename:
+ field: _temp_.threatvalue
+ target_field: threat.indicator.ip
+ ignore_missing: true
+ if: "['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"
+ - uri_parts:
+ field: _temp_.threatvalue
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ if: ctx.threat?.indicator?.type == 'url'
+ - rename:
+ field: _temp_.threatvalue
+ target_field: threat.indicator.email.address
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'email-addr'
+ - rename:
+ field: _temp_.threatvalue
+ target_field: threat.indicator.url.domain
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'domain-name'
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+ - rename:
+ field: cybersixgill.labels
+ target_field: _temp_.tags
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.sixgill_severity
+ target_field: event.severity
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.description
+ target_field: threat.indicator.description
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.sixgill_feedname
+ target_field: cybersixgill.feedname
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.sixgill_source
+ target_field: threat.indicator.provider
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.sixgill_posttitle
+ target_field: cybersixgill.title
+ ignore_missing: true
+ - rename:
+ field: cybersixgill.sixgill_actor
+ target_field: cybersixgill.actor
+ ignore_missing: true
+ - set:
+ field: threat.indicator.reference
+ value: "https://portal.cybersixgill.com/#/search?q=_id:{{cybersixgill.sixgill_postid}}"
+ if: ctx.cybersixgill?.sixgill_postid != null
+ - convert:
+ field: cybersixgill.sixgill_confidence
+ type: integer
+ target_field: threat.indicator.confidence
+ ignore_missing: true
+ - script:
+ lang: painless
+ if: ctx.cybersixgill?.external_references != null
+ description: >
+ Adds MITRE and VirusTotal fields
+ source: >
+ def refs = ctx.cybersixgill.external_references;
+ ctx.cybersixgill.mitre = new HashMap();
+ ctx.cybersixgill.virustotal = new HashMap();
+ ctx.threat.tactic = new HashMap();
+ for (def ref : refs) {
+ if (ref?.description != null) {
+ ctx.cybersixgill.mitre.description = ref.description;
+ }
+ if (ref?.mitre_attack_tactic != null) {
+ ctx.threat.tactic.name = ref.mitre_attack_tactic;
+ }
+ if (ref?.mitre_attack_tactic_id != null) {
+ ctx.threat.tactic.id = ref.mitre_attack_tactic_id;
+ }
+ if (ref?.mitre_attack_tactic_url != null) {
+ ctx.threat.tactic.reference = ref.mitre_attack_tactic_url;
+ }
+ if (ref?.positive_rate != null) {
+ ctx.cybersixgill.virustotal.pr = ref.positive_rate;
+ }
+ if (ref?.url != null) {
+ ctx.cybersixgill.virustotal.url = ref.url;
+ }
+ }
+ - foreach:
+ field: _temp_.tags
+ processor:
+ append:
+ field: tags
+ value: "{{_ingest._value}}"
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx._temp_?.tags != null
+ - script:
+ lang: painless
+ if: ctx.threat?.indicator?.confidence != null
+ description: >
+ Normalize confidence level.
+ source: >
+ def value = ctx.threat.indicator.confidence;
+ if (value <= 0.0 || value > 100.0) {
+ ctx.threat.indicator.confidence = "None";
+ return;
+ }
+ if (value >= 1.0 && value <= 29.0) {
+ ctx.threat.indicator.confidence = "Low";
+ return;
+ }
+ if (value >= 30.0 && value <= 69.0) {
+ ctx.threat.indicator.confidence = "Med";
+ return;
+ }
+ if (value >= 70 && value <= 100) {
+ ctx.threat.indicator.confidence = "High";
+ return;
+ }
+ - script:
+ lang: painless
+ if: ctx?.threatintel != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - _temp_
+ - cybersixgill.sixgill_postid
+ - cybersixgill.extensions
+ - cybersixgill.spec_version
+ - cybersixgill.valid_from
+ - cybersixgill.created
+ - cybersixgill.modified
+ - cybersixgill.lang
+ - cybersixgill.name
+ - cybersixgill.pattern_type
+ - cybersixgill.external_references
+ - cybersixgill.confidence
+ - cybersixgill.sixgill_confidence
+ - cybersixgill.id
+ - cybersixgill.indicator_types
+ - cybersixgill.pattern
+ - cybersixgill.sixgill_feedid
+ - cybersixgill.sixgill_post_virustotallink
+ - cybersixgill.type
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/agent.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/agent.yml
new file mode 100755
index 0000000000..845b84ed9c
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/agent.yml
@@ -0,0 +1,201 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type.
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/base-fields.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/base-fields.yml
new file mode 100755
index 0000000000..9b559d71a6
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,37 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: dataset.type
+ type: constant_keyword
+ description: Dataset type.
+- name: dataset.name
+ type: constant_keyword
+ description: Dataset name.
+- name: dataset.namespace
+ type: constant_keyword
+ description: Dataset namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_cybersixgill
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_cybersixgill.threat
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: Cybersixgill Darkfeed
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/ecs.yml
new file mode 100755
index 0000000000..2d8f273afc
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,170 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ Portion of the url after the `#`, such as "top".
+ The `#` is not part of the fragment.
+ name: threat.indicator.url.fragment
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Describes the type of action conducted by the threat.
+ name: threat.indicator.description
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: Reference URL linking to additional information about this indicator.
+ name: threat.indicator.reference
+ type: keyword
+- description: |-
+ Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+ Expected values are:
+ * Not Specified
+ * None
+ * Low
+ * Medium
+ * High
+ name: threat.indicator.confidence
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
+ name: threat.tactic.name
+ type: keyword
+- description: The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+ name: threat.tactic.id
+ type: keyword
+- description: The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
+ name: threat.tactic.reference
+ type: keyword
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/fields.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/fields.yml
new file mode 100755
index 0000000000..8f92ebcd56
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/fields/fields.yml
@@ -0,0 +1,32 @@
+- name: cybersixgill
+ type: group
+ release: beta
+ fields:
+ - name: feedname
+ type: keyword
+ description: |
+ Name of the Threat Intel feed.
+ - name: title
+ type: keyword
+ description: |
+ The title of the indicator.
+ - name: actor
+ type: keyword
+ description: |
+ The related actor for the indicator.
+ - name: valid_from
+ type: date
+ description: |
+ At what date the indicator is valid from.
+ - name: virustotal.pr
+ type: keyword
+ description: |
+ The Virustotal positive rate.
+ - name: virustotal.url
+ type: keyword
+ description: |
+ The related Virustotal URL.
+ - name: mitre.description
+ type: keyword
+ description: |
+ The mitre description of the indicator
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/manifest.yml b/packages/ti_cybersixgill/1.3.2/data_stream/threat/manifest.yml
new file mode 100755
index 0000000000..2172810090
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/manifest.yml
@@ -0,0 +1,88 @@
+type: logs
+title: Cybersixgill Darkfeed Logs
+streams:
+ - input: httpjson
+ vars:
+ - name: username
+ type: text
+ title: Cybersixgill Darkfeed Client ID
+ multi: false
+ required: true
+ show_user: true
+ - name: password
+ type: password
+ title: Cybersixgill Darkfeed Client Secret
+ multi: false
+ required: true
+ show_user: true
+ - name: url
+ type: text
+ title: Cybersixgill Darkfeed URL
+ multi: false
+ required: true
+ show_user: false
+ default: https://api.cybersixgill.com/taxii/sixgill-taxii/collections/102/objects
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: false
+ default: 2160h
+ description: How far back to look for indicators the first time the agent is started.
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - ti_cybersixgill
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Cybersixgill Darkfeed Logs
+ description: Collect Cybersixgill Darkfeed Logs
diff --git a/packages/ti_cybersixgill/1.3.2/data_stream/threat/sample_event.json b/packages/ti_cybersixgill/1.3.2/data_stream/threat/sample_event.json
new file mode 100755
index 0000000000..715b56c23f
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/data_stream/threat/sample_event.json
@@ -0,0 +1,77 @@
+{
+ "@timestamp": "2021-12-07T13:58:01.596Z",
+ "agent": {
+ "ephemeral_id": "23a1b4ff-d3ba-4cc1-a31d-65adb7b305fb",
+ "id": "3f82d126-26ae-4993-a89b-63c5413149e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "cybersixgill": {
+ "actor": "vaedzy",
+ "feedname": "dark_web_hashes",
+ "mitre": {
+ "description": "Mitre attack tactics and technique reference"
+ },
+ "title": "[病毒样本] #Trickbot (2021-12-07)",
+ "virustotal": {
+ "pr": "medium",
+ "url": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_cybersixgill.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "3f82d126-26ae-4993-a89b-63c5413149e0",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:36:43.266Z",
+ "dataset": "ti_cybersixgill.threat",
+ "ingested": "2022-04-11T08:36:43Z",
+ "kind": "enrichment",
+ "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}",
+ "severity": 70,
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "ti_cybersixgill"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "High",
+ "description": "Hash attributed to malware that was discovered in the dark and deep web",
+ "file": {
+ "hash": {
+ "md5": "4d0f21919d623bd1631ee15ca7429f28",
+ "sha1": "5ce39ef0700b64bd0c71b55caf64ae45d8400965",
+ "sha256": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d"
+ }
+ },
+ "first_seen": "2021-12-07T02:55:17.000Z",
+ "last_seen": "2021-12-07T13:58:01.596Z",
+ "provider": "forum_kafan",
+ "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a",
+ "type": "file"
+ },
+ "tactic": {
+ "id": "TA0024",
+ "name": "Build Capabilities",
+ "reference": "https://attack.mitre.org/tactics/TA0024/"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/docs/README.md b/packages/ti_cybersixgill/1.3.2/docs/README.md
new file mode 100755
index 0000000000..1d005cf5b2
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/docs/README.md
@@ -0,0 +1,179 @@
+# Cybersixgill Darkfeed TAXII Integration
+
+This integration connects with the commercial [Cybersixgill Darkfeed](https://www.cybersixgill.com/products/darkfeed/) TAXII server.
+
+## Logs
+
+### Threat
+
+The Cybersixgill Darkfeed integration collects threat intelligence from the Darkfeed TAXII service available using the credentials provided from Cybersixgill.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| cybersixgill.actor | The related actor for the indicator. | keyword |
+| cybersixgill.feedname | Name of the Threat Intel feed. | keyword |
+| cybersixgill.mitre.description | The mitre description of the indicator | keyword |
+| cybersixgill.title | The title of the indicator. | keyword |
+| cybersixgill.valid_from | At what date the indicator is valid from. | date |
+| cybersixgill.virustotal.pr | The Virustotal positive rate. | keyword |
+| cybersixgill.virustotal.url | The related Virustotal URL. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dataset.name | Dataset name. | constant_keyword |
+| dataset.namespace | Dataset namespace. | constant_keyword |
+| dataset.type | Dataset type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword |
+| threat.indicator.description | Describes the type of action conducted by the threat. | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword |
+| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+
+
+An example event for `threat` looks as following:
+
+```json
+{
+ "@timestamp": "2021-12-07T13:58:01.596Z",
+ "agent": {
+ "ephemeral_id": "23a1b4ff-d3ba-4cc1-a31d-65adb7b305fb",
+ "id": "3f82d126-26ae-4993-a89b-63c5413149e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "cybersixgill": {
+ "actor": "vaedzy",
+ "feedname": "dark_web_hashes",
+ "mitre": {
+ "description": "Mitre attack tactics and technique reference"
+ },
+ "title": "[病毒样本] #Trickbot (2021-12-07)",
+ "virustotal": {
+ "pr": "medium",
+ "url": "https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d"
+ }
+ },
+ "data_stream": {
+ "dataset": "ti_cybersixgill.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "3f82d126-26ae-4993-a89b-63c5413149e0",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:36:43.266Z",
+ "dataset": "ti_cybersixgill.threat",
+ "ingested": "2022-04-11T08:36:43Z",
+ "kind": "enrichment",
+ "original": "{\"confidence\":70,\"created\":\"2021-12-07T13:58:01.596Z\",\"description\":\"Hash attributed to malware that was discovered in the dark and deep web\",\"extensions\":{\"extension-definition--3de9ff00-174d-4d41-87c9-05a27a7e117c\":{\"extension_type\":\"toplevel-property-extension\"}},\"external_references\":[{\"positive_rate\":\"medium\",\"source_name\":\"VirusTotal\",\"url\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\"},{\"description\":\"Mitre attack tactics and technique reference\",\"mitre_attack_tactic\":\"Build Capabilities\",\"mitre_attack_tactic_id\":\"TA0024\",\"mitre_attack_tactic_url\":\"https://attack.mitre.org/tactics/TA0024/\",\"source_name\":\"mitre-attack\"}],\"id\":\"indicator--302dab0f-64dc-42f5-b99e-702b28c1aaa9\",\"indicator_types\":[\"malicious-activity\"],\"lang\":\"en\",\"modified\":\"2021-12-07T13:58:01.596Z\",\"name\":\"4d0f21919d623bd1631ee15ca7429f28;5ce39ef0700b64bd0c71b55caf64ae45d8400965;7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"pattern\":\"[file:hashes.MD5 = '4d0f21919d623bd1631ee15ca7429f28' OR file:hashes.'SHA-1' = '5ce39ef0700b64bd0c71b55caf64ae45d8400965' OR file:hashes.'SHA-256' = '7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d']\",\"pattern_type\":\"stix\",\"sixgill_actor\":\"vaedzy\",\"sixgill_confidence\":70,\"sixgill_feedid\":\"darkfeed_012\",\"sixgill_feedname\":\"dark_web_hashes\",\"sixgill_post_virustotallink\":\"https://virustotal.com/#/file/7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d\",\"sixgill_postid\":\"c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a\",\"sixgill_posttitle\":\"[病毒样本] #Trickbot (2021-12-07)\",\"sixgill_severity\":70,\"sixgill_source\":\"forum_kafan\",\"spec_version\":\"2.1\",\"type\":\"indicator\",\"valid_from\":\"2021-12-07T02:55:17Z\"}",
+ "severity": 70,
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "ti_cybersixgill"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "High",
+ "description": "Hash attributed to malware that was discovered in the dark and deep web",
+ "file": {
+ "hash": {
+ "md5": "4d0f21919d623bd1631ee15ca7429f28",
+ "sha1": "5ce39ef0700b64bd0c71b55caf64ae45d8400965",
+ "sha256": "7bdf8b8594ec269da864ee662334f4da53d4820a3f0f8aa665a0fa096ca8f22d"
+ }
+ },
+ "first_seen": "2021-12-07T02:55:17.000Z",
+ "last_seen": "2021-12-07T13:58:01.596Z",
+ "provider": "forum_kafan",
+ "reference": "https://portal.cybersixgill.com/#/search?q=_id:c0c9a0085fb5281cfb40a0ddb62e1d2c6a53eb7a",
+ "type": "file"
+ },
+ "tactic": {
+ "id": "TA0024",
+ "name": "Build Capabilities",
+ "reference": "https://attack.mitre.org/tactics/TA0024/"
+ }
+ }
+}
+```
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/img/cybersixgill.svg b/packages/ti_cybersixgill/1.3.2/img/cybersixgill.svg
new file mode 100755
index 0000000000..7ef7622b8e
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/img/cybersixgill.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json
new file mode 100755
index 0000000000..f9c9134080
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738.json
@@ -0,0 +1,127 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the Cybersixgill integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \\n**[Cybersixgill Files (This Page)](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738)** \\n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\":{\"columnOrder\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\",\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\"],\"columns\":{\"27d0558e-428b-40a7-aea7-4195a095ff3f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.id\"},\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\"],\"layerId\":\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"c66ad183-f4f0-4605-b35d-85b7038403fd\",\"w\":14,\"x\":18,\"y\":0},\"panelIndex\":\"c66ad183-f4f0-4605-b35d-85b7038403fd\",\"title\":\"Mitre Tactics ID [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9722683d-8451-450c-b62c-8f28e7263f1b\":{\"columnOrder\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\",\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\"],\"columns\":{\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\"],\"layerId\":\"9722683d-8451-450c-b62c-8f28e7263f1b\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"fcc44298-dfb6-4bd4-a63d-e845ce3eb859\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"fcc44298-dfb6-4bd4-a63d-e845ce3eb859\",\"title\":\"Mitre Tactics Name [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":5,\"x\":7,\"y\":8},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":12,\"y\":8},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9646600b-883b-40d0-af92-d25f7fb3fcf6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9646600b-883b-40d0-af92-d25f7fb3fcf6\":{\"columnOrder\":[\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\",\"36345449-d429-419f-a3e1-202546a186d4\"],\"columns\":{\"36345449-d429-419f-a3e1-202546a186d4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Feed Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"36345449-d429-419f-a3e1-202546a186d4\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cybersixgill.feedname\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"b21fdfe6-05b1-474f-9748-1923a4c16ebe\",\"isTransposed\":false},{\"columnId\":\"36345449-d429-419f-a3e1-202546a186d4\",\"isTransposed\":false}],\"layerId\":\"9646600b-883b-40d0-af92-d25f7fb3fcf6\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"0638c316-a573-412f-b3c4-f72dde07c6e8\",\"w\":11,\"x\":7,\"y\":16},\"panelIndex\":\"0638c316-a573-412f-b3c4-f72dde07c6e8\",\"title\":\"Top Feeds [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"forwarded|preserve_original_event|cybersixgill-threat\",\"field\":\"tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":19,\"i\":\"463b3747-56ee-425d-a2ac-a94a44b4995e\",\"w\":14,\"x\":18,\"y\":16},\"panelIndex\":\"463b3747-56ee-425d-a2ac-a94a44b4995e\",\"title\":\"File Tags [Logs Cybersixgill]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d9757b54-ffa7-45da-b31b-1387c4a2d26e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d9757b54-ffa7-45da-b31b-1387c4a2d26e\":{\"columnOrder\":[\"af192ae4-c012-49db-b768-85d876f2688e\",\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\"],\"columns\":{\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"af192ae4-c012-49db-b768-85d876f2688e\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.confidence\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.confidence\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"af192ae4-c012-49db-b768-85d876f2688e\"],\"layerId\":\"d9757b54-ffa7-45da-b31b-1387c4a2d26e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5e611ce4-0c5a-4e10-b87e-30c88affa80e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"256a7b33-485f-4715-90f3-768bea61d23e\",\"w\":16,\"x\":32,\"y\":16},\"panelIndex\":\"256a7b33-485f-4715-90f3-768bea61d23e\",\"title\":\"Confidence Levels [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Cybersixgill] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c66ad183-f4f0-4605-b35d-85b7038403fd:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c66ad183-f4f0-4605-b35d-85b7038403fd:indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fcc44298-dfb6-4bd4-a63d-e845ce3eb859:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fcc44298-dfb6-4bd4-a63d-e845ce3eb859:indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0638c316-a573-412f-b3c4-f72dde07c6e8:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0638c316-a573-412f-b3c4-f72dde07c6e8:indexpattern-datasource-layer-9646600b-883b-40d0-af92-d25f7fb3fcf6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "463b3747-56ee-425d-a2ac-a94a44b4995e:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "256a7b33-485f-4715-90f3-768bea61d23e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "256a7b33-485f-4715-90f3-768bea61d23e:indexpattern-datasource-layer-d9757b54-ffa7-45da-b31b-1387c4a2d26e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json
new file mode 100755
index 0000000000..bc0a0f12a2
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the Cybersixgill Darkfeed integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[Cybersixgill Overview](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738) \\n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \\n**[Cybersixgill URLs (This Page)](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738)** \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":38,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":9,\"x\":7,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":9,\"x\":16,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":23,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\":{\"columnOrder\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\",\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\"],\"columns\":{\"27d0558e-428b-40a7-aea7-4195a095ff3f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.id\"},\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"27d0558e-428b-40a7-aea7-4195a095ff3f\"],\"layerId\":\"22fbfeae-5b51-4d9d-b463-0d0dcb36e05d\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"4e91e0ea-9ccc-43cf-b81c-513d9f18ead7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008\",\"w\":12,\"x\":25,\"y\":23},\"panelIndex\":\"08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008\",\"title\":\"Mitre Tactics ID [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9722683d-8451-450c-b62c-8f28e7263f1b\":{\"columnOrder\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\",\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\"],\"columns\":{\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"4e60dfd6-afe5-47dc-a5a0-3cfdb62f01dd\"],\"layerId\":\"9722683d-8451-450c-b62c-8f28e7263f1b\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"0ceb1563-e3cd-4a98-a469-737bee1cb9ef\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"a828d701-6a36-4401-8b35-419b4454c6fc\",\"w\":11,\"x\":37,\"y\":23},\"panelIndex\":\"a828d701-6a36-4401-8b35-419b4454c6fc\",\"title\":\"Mitre Tactics Name [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Cybersixgill] URLs",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "08fe9c8a-d5d8-4c8f-ab42-b0cfb0390008:indexpattern-datasource-layer-22fbfeae-5b51-4d9d-b463-0d0dcb36e05d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a828d701-6a36-4401-8b35-419b4454c6fc:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "a828d701-6a36-4401-8b35-419b4454c6fc:indexpattern-datasource-layer-9722683d-8451-450c-b62c-8f28e7263f1b",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json
new file mode 100755
index 0000000000..521af2b8a2
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/kibana/dashboard/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the Cybersixgill Darkfeed integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_cybersixgill.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_cybersixgill.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[Cybersixgill Overview (This Page)](/app/dashboards#/view/ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738)** \\n[Cybersixgill Files](/app/dashboards#/view/ti_cybersixgill-63c9fee0-5bea-11ec-9302-152fd766c738) \\n[Cybersixgill URLs](/app/dashboards#/view/ti_cybersixgill-717013b0-5bed-11ec-9302-152fd766c738) \\n\\n[Integrations Page](/app/integrations/detail/ti_cybersixgill/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Cybersixgill Darkfeed integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Cybersixgill. \",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs Cybersixgill]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-720e8ef8-eec8-4aff-abe0-c14c0bab64db\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"720e8ef8-eec8-4aff-abe0-c14c0bab64db\":{\"columnOrder\":[\"62778b77-cc47-48e1-8648-02ffd9ed8b72\",\"8e35c18d-ceea-4462-b205-daf206f180cc\"],\"columns\":{\"62778b77-cc47-48e1-8648-02ffd9ed8b72\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.tactic.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"8e35c18d-ceea-4462-b205-daf206f180cc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.tactic.name\"},\"8e35c18d-ceea-4462-b205-daf206f180cc\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"62778b77-cc47-48e1-8648-02ffd9ed8b72\"],\"layerId\":\"720e8ef8-eec8-4aff-abe0-c14c0bab64db\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"8e35c18d-ceea-4462-b205-daf206f180cc\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f3141aca-8e35-48a7-9ac8-cc43fa1a47c0\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f3141aca-8e35-48a7-9ac8-cc43fa1a47c0\",\"title\":\"Mitre Tactics [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs Cybersixgill]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs Cybersixgill] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_cybersixgill-c75353f0-5be8-11ec-9302-152fd766c738",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f3141aca-8e35-48a7-9ac8-cc43fa1a47c0:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f3141aca-8e35-48a7-9ac8-cc43fa1a47c0:indexpattern-datasource-layer-720e8ef8-eec8-4aff-abe0-c14c0bab64db",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "name": "tag-ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json b/packages/ti_cybersixgill/1.3.2/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json
new file mode 100755
index 0000000000..ecc0f01b43
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/kibana/tag/ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "Cybersixgill"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_cybersixgill-7186bf10-5be4-11ec-9302-152fd766c738",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_cybersixgill/1.3.2/manifest.yml b/packages/ti_cybersixgill/1.3.2/manifest.yml
new file mode 100755
index 0000000000..008c8027bc
--- /dev/null
+++ b/packages/ti_cybersixgill/1.3.2/manifest.yml
@@ -0,0 +1,26 @@
+name: ti_cybersixgill
+title: Cybersixgill
+version: 1.3.2
+release: ga
+description: This Elastic integration collects threat intelligence from Cybersixgill
+type: integration
+format_version: 1.0.0
+license: basic
+categories: ["security", "productivity"]
+conditions:
+ kibana.version: ^8.0.0
+policy_templates:
+ - name: cybersixgill
+ title: Cybersixgill Threat Intel
+ description: Collect Threat Intel from Cybersixgill
+ inputs:
+ - type: httpjson
+ title: "Collect Threat Intel from Cybersixgill Darkfeed"
+ description: "Collect Threat Intel from Cybersixgill Darkfeed"
+owner:
+ github: elastic/security-external-integrations
+icons:
+ - src: /img/cybersixgill.svg
+ title: Cybersixgill
+ size: 32x32
+ type: image/svg+xml
diff --git a/packages/ti_misp/1.2.2/changelog.yml b/packages/ti_misp/1.2.2/changelog.yml
new file mode 100755
index 0000000000..97b1603c31
--- /dev/null
+++ b/packages/ti_misp/1.2.2/changelog.yml
@@ -0,0 +1,36 @@
+# newer versions go on top
+- version: "1.2.2"
+ changes:
+ - description: Add mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.2.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2448
+- version: "1.1.0"
+ changes:
+ - description: Adds dashboards and threat.feed ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2485
+- version: "1.0.2"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.0.1"
+ changes:
+ - description: Bump minimum version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2063
+- version: "1.0.0"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1946
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_misp/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..e7813459bb
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,75 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "POST"
+
+{{#if url}}
+request.url: {{url}}/events/restSearch
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+request.body:
+{{#if filters}}
+ {{filters}}
+{{/if}}
+request.transforms:
+{{#if api_token}}
+- set:
+ target: header.Authorization
+ value: {{api_token}}
+{{/if}}
+- set:
+ target: body.page
+ value: 1
+- set:
+ target: body.limit
+ value: 10
+- set:
+ target: body.returnFormat
+ value: json
+- set:
+ target: body.timestamp
+ value: '[[.cursor.timestamp]]'
+ default: '[[ formatDate (now (parseDuration "-{{initial_interval}}")) "UnixDate" ]]'
+
+response.split:
+ target: body.response
+ split:
+ target: body.Event.Attribute
+ ignore_empty_value: true
+ keep_parent: true
+ split:
+ target: body.Event.Object
+ keep_parent: true
+ split:
+ target: body.Event.Object.Attribute
+ keep_parent: true
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+ target: body.page
+ value: '[[add .last_response.page 1]]'
+ fail_on_template_error: true
+cursor:
+ timestamp:
+ value: '[[.last_event.Event.timestamp]]'
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..9456fa99ff
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,388 @@
+---
+description: Pipeline for parsing MISP Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: event.ingested
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - fingerprint:
+ fields:
+ - json.Event.Attribute.uuid
+ - json.Event.Object.Attribute.uuid
+ target_field: "_id"
+ ignore_missing: true
+ - rename:
+ field: json.Event
+ target_field: misp
+ ignore_missing: true
+ - set:
+ field: threat.indicator.provider
+ value: misp
+ if: ctx.misp?.Orgc?.local != 'false'
+ - set:
+ field: threat.indicator.provider
+ value: "{{misp.Orgc.name}}"
+ if: ctx.misp?.Orgc?.local == 'false'
+ ignore_empty_value: true
+
+ # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event
+ - remove:
+ field:
+ - misp.ShadowAttribute
+ - misp.RelatedEvent
+ - misp.Galaxy
+ - misp.Attribute.Galaxy
+ - misp.Attribute.ShadowAttribute
+ - misp.EventReport
+ - misp.Object.Attribute.Galaxy
+ - misp.Object.Attribute.ShadowAttribute
+ ignore_missing: true
+ - remove:
+ field:
+ - misp.Attribute
+ ignore_missing: true
+ if: ctx.misp?.Attribute.size() == 0
+ - remove:
+ field:
+ - misp.Object
+ ignore_missing: true
+ if: ctx.misp?.Object.size() == 0
+ - date:
+ field: misp.timestamp
+ formats:
+ - UNIX
+ ignore_failure: true
+ - rename:
+ field: misp.Attribute
+ target_field: misp.attribute
+ ignore_missing: true
+ - rename:
+ field: misp.Object
+ target_field: misp.object
+ ignore_missing: true
+ - rename:
+ field: misp.object.Attribute
+ target_field: misp.object.attribute
+ ignore_missing: true
+ - rename:
+ field: misp.Orgc
+ target_field: misp.orgc
+ ignore_missing: true
+ - rename:
+ field: misp.Org
+ target_field: misp.org
+ ignore_missing: true
+ - rename:
+ field: misp.Tag
+ target_field: misp.tag
+ ignore_missing: true
+
+ # # Dance around issue of not being able to split the document into two.
+ # # Make the Object.Attribute field primary if it exists, but keep the
+ # # outer Attribute as context.
+ - rename:
+ field: misp.attribute
+ target_field: misp.context.attribute
+ ignore_missing: true
+ if: ctx.misp?.object != null
+ - rename:
+ field: misp.object.attribute
+ target_field: misp.attribute
+ ignore_missing: true
+ if: ctx.misp?.object != null
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - set:
+ field: threat.feed.name
+ value: "MISP"
+ - rename:
+ field: misp.attribute.first_seen
+ target_field: threat.indicator.first_seen
+ ignore_missing: true
+ - rename:
+ field: misp.attribute.last_seen
+ target_field: threat.indicator.last_seen
+ ignore_missing: true
+ - convert:
+ field: misp.analysis
+ type: long
+ target_field: threat.indicator.scanner_stats
+ ignore_missing: true
+ - convert:
+ field: misp.threat_level_id
+ type: long
+ ignore_missing: true
+
+ ## File/Hash indicator operations
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.misp?.attribute?.type != null && (['md5', 'impfuzzy', 'imphash', 'pehash', 'sha1', 'sha224', 'sha256', 'sha3-224', 'sha3-256', 'sha3-384', 'sha3-512', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'tlsh', 'vhash'].contains(ctx.misp?.attribute?.type) || ctx.misp?.attribute?.type.startsWith('filename'))"
+ - rename:
+ field: misp.attribute.value
+ target_field: "threat.indicator.file.hash.{{misp.attribute.type}}"
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type != null && !ctx.misp?.attribute?.type.startsWith('filename')"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.file.name
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'file' && ctx.misp?.attribute?.type == 'filename'"
+ - grok:
+ field: misp.attribute.type
+ patterns:
+ - "%{WORD}\\|%{WORD:_tmp.hashtype}"
+ ignore_missing: true
+ if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|')
+ - grok:
+ field: misp.attribute.value
+ patterns:
+ - "%{DATA:threat.indicator.file.name}\\|%{GREEDYDATA:_tmp.hashvalue}"
+ ignore_missing: true
+ if: ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|')
+ - set:
+ field: threat.indicator.file.hash.{{_tmp.hashtype}}
+ value: "{{_tmp.hashvalue}}"
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('filename|') && ctx?._tmp?.hashvalue != null && ctx?._tmp?.hashtype != null"
+
+ ## URL/URI indicator operations
+ - set:
+ field: threat.indicator.type
+ value: url
+ if: "ctx.misp?.attribute?.type != null && ['url', 'link', 'uri'].contains(ctx.misp?.attribute?.type)"
+ - uri_parts:
+ field: misp.attribute.value
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ if: ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'
+ - set:
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
+ ignore_empty_value: true
+ if: "ctx.threat?.indicator?.type == 'url' && ctx.misp?.attribute?.type != 'uri'"
+
+ ## Regkey indicator operations
+ - set:
+ field: threat.indicator.type
+ value: windows-registry-key
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('regkey')"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.registry.key
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'windows-registry-key' && ctx.misp?.attribute?.type == 'regkey'"
+ - grok:
+ field: misp.attribute.value
+ patterns:
+ - "%{DATA:threat.indicator.registry.key}\\|%{DATA:threat.indicator.registry.value}"
+ ignore_missing: true
+ if: "ctx.misp?.attribute?.type == 'regkey|value'"
+
+ ## AS indicator operations
+ - set:
+ field: threat.indicator.type
+ value: autonomous-system
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type == 'AS'"
+ - convert:
+ field: misp.attribute.value
+ type: long
+ target_field: threat.indicator.as.number
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'autonomous-system'
+
+ ## Domain/IP/Port indicator operations
+ - set:
+ field: threat.indicator.type
+ value: domain-name
+ if: "ctx.misp?.attribute?.type != null && (ctx.misp?.attribute?.type == 'hostname' || ctx.misp?.attribute?.type.startsWith('domain'))"
+ - set:
+ field: threat.indicator.type
+ value: ipv4-addr
+ if: "ctx.misp?.attribute?.type != null && ['ip-src', 'ip-src|port', 'ip-dst', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.url.domain
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.misp?.attribute?.type != 'domain|ip' && ctx.threat?.indicator?.url?.domain == null"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.ip
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'ipv4-addr' && ctx.misp?.attribute?.type != 'domain|ip' && !['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
+ - grok:
+ field: misp.attribute.value
+ patterns:
+ - "%{DATA:threat.indicator.url.domain}\\|%{IP:threat.indicator.ip}"
+ ignore_missing: true
+ if: ctx.misp?.attribute?.type == 'domain|ip' && ctx.threat?.indicator?.url?.domain == null
+ - grok:
+ field: misp.attribute.value
+ patterns:
+ - "%{IP:threat.indicator.ip}\\|%{NUMBER:threat.indicator.port}"
+ ignore_missing: true
+ if: "['ip-src|port', 'ip-dst|port'].contains(ctx.misp?.attribute?.type)"
+
+ ## Email indicator operations
+ # Currently this ignores email-message, except setting the type it will leave the rest of the fields under misp.
+ - set:
+ field: threat.indicator.type
+ value: email-addr
+ if: "ctx.misp?.attribute?.type != null && ['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)"
+ - set:
+ field: threat.indicator.type
+ value: email-message
+ if: "ctx.misp?.attribute?.type != null && ctx.misp?.attribute?.type.startsWith('email') && !['email-dst', 'email-src'].contains(ctx.misp?.attribute?.type)"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.email.address
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'email-addr'
+ - rename:
+ field: misp.event_creator_email
+ target_field: user.email
+ ignore_missing: true
+ - append:
+ field: user.roles
+ value: "reporting_user"
+ if: ctx?.user?.email != null
+
+ ## MAC Address indicator operations
+ - set:
+ field: threat.indicator.type
+ value: mac-addr
+ if: "ctx.misp?.attribute?.type != null && ['mac-address', 'mac-eui-64'].contains(ctx.misp?.attribute?.type)"
+ - rename:
+ field: misp.attribute.value
+ target_field: threat.indicator.mac
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type == 'mac-addr'
+
+ ###################
+ # Tags ECS fields #
+ ###################
+ # Stripping special characters from tags
+ - script:
+ lang: painless
+ if: ctx.misp?.tag != null
+ source: |
+ def tags = ctx.misp.tag.stream()
+ .map(t -> t.name.replace('\\', '').replace('"', ''))
+ .collect(Collectors.toList());
+ def tlpTags = tags.stream()
+ .filter(t -> t.startsWith('tlp:'))
+ .map(t -> t.replace('tlp:', ''))
+ .collect(Collectors.toList());
+
+ ctx.tags = tags;
+ ctx.threat.indicator.marking = [ 'tlp': tlpTags ];
+
+ # Setting indicator type to unknown if it does not match anything
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+
+ #################
+ # Convert types #
+ #################
+ - convert:
+ field: misp.attribute.distribution
+ type: long
+ ignore_missing: true
+ - convert:
+ field: misp.context.attribute.distribution
+ type: long
+ ignore_missing: true
+ - convert:
+ field: threat.indicator.port
+ type: long
+ ignore_missing: true
+ - convert:
+ field: misp.attribute_count
+ type: long
+ ignore_missing: true
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - script:
+ lang: painless
+ if: ctx?.misp != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event
+ - remove:
+ field:
+ - misp.attribute.value
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type != 'unknown'
+ - remove:
+ field:
+ # This removes a number of fields that may be wanted in the future when
+ # misp.attribute and misp.object.attribute can
+ # be separated. At the root of .object are fields that mirror fields at
+ # the root of misp.
+ - misp.object
+ ignore_missing: true
+ - remove:
+ field:
+ - misp.Attribute.timestamp
+ - misp.timestamp
+ - misp.tag
+ - misp.org
+ - misp.analysis
+ - _tmp
+ - json
+ ignore_missing: true
+
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/fields/agent.yml b/packages/ti_misp/1.2.2/data_stream/threat/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/1.2.2/data_stream/threat/fields/base-fields.yml
new file mode 100755
index 0000000000..ad1000cb9b
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_misp
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_misp.threat
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: MISP
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/fields/beats.yml b/packages/ti_misp/1.2.2/data_stream/threat/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/fields/ecs.yml b/packages/ti_misp/1.2.2/data_stream/threat/fields/ecs.yml
new file mode 100755
index 0000000000..e6dcb70141
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,188 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: Array of user roles at the time of the event.
+ name: user.roles
+ type: keyword
+- name: threat.feed.name
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: Count of AV/EDR vendors that successfully detected malicious file or URL.
+ name: threat.indicator.scanner_stats
+ type: long
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: threat.indicator.as.number
+ type: long
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: |-
+ Traffic Light Protocol sharing markings.
+ Recommended values are:
+ * WHITE
+ * GREEN
+ * AMBER
+ * RED
+ name: threat.indicator.marking.tlp
+ type: keyword
+- description: Identifies a threat indicator as a port number (irrespective of direction).
+ name: threat.indicator.port
+ type: long
+- description: Hive-relative path of keys.
+ name: threat.indicator.registry.key
+ type: keyword
+- description: Name of the value written.
+ name: threat.indicator.registry.value
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: threat.indicator.file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: threat.indicator.file.type
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: threat.indicator.file.name
+ type: keyword
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/fields/fields.yml b/packages/ti_misp/1.2.2/data_stream/threat/fields/fields.yml
new file mode 100755
index 0000000000..133826511b
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/fields/fields.yml
@@ -0,0 +1,291 @@
+- name: misp
+ type: group
+ description: >
+ Fields for MISP indicators
+
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ Attribute ID.
+
+ - name: orgc_id
+ type: keyword
+ description: >
+ Organization Community ID of the event.
+
+ - name: org_id
+ type: keyword
+ description: >
+ Organization ID of the event.
+
+ - name: threat_level_id
+ type: long
+ description: >
+ Threat level from 5 to 1, where 1 is the most critical.
+
+ - name: info
+ type: keyword
+ description: >
+ Additional text or information related to the event.
+
+ - name: published
+ type: boolean
+ description: >
+ When the event was published.
+
+ - name: uuid
+ type: keyword
+ description: >
+ The UUID of the event object.
+
+ - name: date
+ type: date
+ description: >
+ The date of when the event object was created.
+
+ - name: attribute_count
+ type: long
+ description: >
+ How many attributes are included in a single event object.
+
+ - name: timestamp
+ type: date
+ description: >
+ The timestamp of when the event object was created.
+
+ - name: distribution
+ type: keyword
+ description: >
+ Distribution type related to MISP.
+
+ - name: proposal_email_lock
+ type: boolean
+ description: >
+ Settings configured on MISP for email lock on this event object.
+
+ - name: locked
+ type: boolean
+ description: >
+ If the current MISP event object is locked or not.
+
+ - name: publish_timestamp
+ type: date
+ description: >
+ At what time the event object was published
+
+ - name: sharing_group_id
+ type: keyword
+ description: >
+ The ID of the grouped events or sources of the event.
+
+ - name: disable_correlation
+ type: boolean
+ description: >
+ If correlation is disabled on the MISP event object.
+
+ - name: extends_uuid
+ type: keyword
+ description: >
+ The UUID of the event object it might extend.
+
+ - name: org.id
+ type: keyword
+ description: >
+ The organization ID related to the event object.
+
+ - name: org.name
+ type: keyword
+ description: >
+ The organization name related to the event object.
+
+ - name: org.uuid
+ type: keyword
+ description: >
+ The UUID of the organization related to the event object.
+
+ - name: org.local
+ type: boolean
+ description: >
+ If the event object is local or from a remote source.
+
+ - name: orgc.id
+ type: keyword
+ description: >
+ The Organization Community ID in which the event object was reported from.
+
+ - name: orgc.name
+ type: keyword
+ description: >
+ The Organization Community name in which the event object was reported from.
+
+ - name: orgc.uuid
+ type: keyword
+ description: >
+ The Organization Community UUID in which the event object was reported from.
+
+ - name: orgc.local
+ type: boolean
+ description: >
+ If the Organization Community was local or synced from a remote source.
+
+ - name: attribute.id
+ type: keyword
+ description: >
+ The ID of the attribute related to the event object.
+
+ - name: attribute.type
+ type: keyword
+ description: >
+ The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
+
+ - name: attribute.category
+ type: keyword
+ description: >
+ The category of the attribute related to the event object. For example "Network Activity".
+
+ - name: attribute.to_ids
+ type: boolean
+ description: >
+ If the attribute should be automatically synced with an IDS.
+
+ - name: attribute.uuid
+ type: keyword
+ description: >
+ The UUID of the attribute related to the event.
+
+ - name: attribute.event_id
+ type: keyword
+ description: >
+ The local event ID of the attribute related to the event.
+
+ - name: attribute.distribution
+ type: long
+ description: >
+ How the attribute has been distributed, represented by integer numbers.
+
+ - name: attribute.timestamp
+ type: date
+ description: >
+ The timestamp in which the attribute was attached to the event object.
+
+ - name: attribute.comment
+ type: keyword
+ description: >
+ Comments made to the attribute itself.
+
+ - name: attribute.sharing_group_id
+ type: keyword
+ description: >
+ The group ID of the sharing group related to the specific attribute.
+
+ - name: attribute.deleted
+ type: boolean
+ description: >
+ If the attribute has been removed from the event object.
+
+ - name: attribute.disable_correlation
+ type: boolean
+ description: >
+ If correlation has been enabled on the attribute related to the event object.
+
+ - name: attribute.object_id
+ type: keyword
+ description: >
+ The ID of the Object in which the attribute is attached.
+
+ - name: attribute.object_relation
+ type: keyword
+ description: >
+ The type of relation the attribute has with the event object itself.
+
+ - name: attribute.value
+ type: keyword
+ description: >
+ The value of the attribute, depending on the type like "url, sha1, email-src".
+
+ - name: context.attribute.id
+ type: keyword
+ description: >
+ The ID of the secondary attribute related to the event object.
+
+ - name: context.attribute.type
+ type: keyword
+ description: >
+ The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
+
+ - name: context.attribute.category
+ type: keyword
+ description: >
+ The category of the secondary attribute related to the event object. For example "Network Activity".
+
+ - name: context.attribute.to_ids
+ type: boolean
+ description: >
+ If the secondary attribute should be automatically synced with an IDS.
+
+ - name: context.attribute.uuid
+ type: keyword
+ description: >
+ The UUID of the secondary attribute related to the event.
+
+ - name: context.attribute.event_id
+ type: keyword
+ description: >
+ The local event ID of the secondary attribute related to the event.
+
+ - name: context.attribute.distribution
+ type: long
+ description: >
+ How the secondary attribute has been distributed, represented by integer numbers.
+
+ - name: context.attribute.timestamp
+ type: date
+ description: >
+ The timestamp in which the secondary attribute was attached to the event object.
+
+ - name: context.attribute.comment
+ type: keyword
+ description: >
+ Comments made to the secondary attribute itself.
+
+ - name: context.attribute.sharing_group_id
+ type: keyword
+ description: >
+ The group ID of the sharing group related to the specific secondary attribute.
+
+ - name: context.attribute.deleted
+ type: boolean
+ description: >
+ If the secondary attribute has been removed from the event object.
+
+ - name: context.attribute.disable_correlation
+ type: boolean
+ description: >
+ If correlation has been enabled on the secondary attribute related to the event object.
+
+ - name: context.attribute.object_id
+ type: keyword
+ description: >
+ The ID of the Object in which the secondary attribute is attached.
+
+ - name: context.attribute.object_relation
+ type: keyword
+ description: >
+ The type of relation the secondary attribute has with the event object itself.
+
+ - name: context.attribute.value
+ type: keyword
+ description: >
+ The value of the attribute, depending on the type like "url, sha1, email-src".
+
+ - name: context.attribute.first_seen
+ type: keyword
+ description: >
+ The first time the indicator was seen.
+
+ - name: context.attribute.last_seen
+ type: keyword
+ description: >
+ The last time the indicator was seen.
+
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/manifest.yml b/packages/ti_misp/1.2.2/data_stream/threat/manifest.yml
new file mode 100755
index 0000000000..353de39766
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/manifest.yml
@@ -0,0 +1,101 @@
+type: logs
+title: MISP
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: MISP URL
+ multi: false
+ required: true
+ show_user: true
+ default: https://mispserver.com
+ description: The URL or hostname of the MISP instance.
+ - name: api_token
+ type: password
+ title: MISP API Token
+ multi: false
+ required: true
+ show_user: true
+ description: The API token used to access the MISP instance.
+ - name: initial_interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 120h
+ description: How far back to look for indicators the first time the agent is started.
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: filters
+ type: yaml
+ title: MISP API Filters
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #type:
+ # OR:
+ # - ip-src
+ # - ip-dst
+ #tags:
+ # NOT:
+ # - tlp-red
+ description: Filters documented at [MISP API Documentation](https://www.circl.lu/doc/misp/automation/#search) is supported.
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #verification_mode: none
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - misp-threat
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: MISP
+ description: Collect indicators from the MISP API
diff --git a/packages/ti_misp/1.2.2/data_stream/threat/sample_event.json b/packages/ti_misp/1.2.2/data_stream/threat/sample_event.json
new file mode 100755
index 0000000000..c84d8a407c
--- /dev/null
+++ b/packages/ti_misp/1.2.2/data_stream/threat/sample_event.json
@@ -0,0 +1,97 @@
+{
+ "@timestamp": "2014-10-06T07:12:57.000Z",
+ "agent": {
+ "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da",
+ "id": "f33cbb31-3e5c-4242-8b35-d4631555523c",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_misp.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "f33cbb31-3e5c-4242-8b35-d4631555523c",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:58:54.124Z",
+ "dataset": "ti_misp.threat",
+ "ingested": "2022-04-11T08:58:55Z",
+ "kind": "enrichment",
+ "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "misp": {
+ "attribute": {
+ "category": "Network activity",
+ "comment": "",
+ "deleted": false,
+ "disable_correlation": false,
+ "distribution": 5,
+ "event_id": "22",
+ "id": "12394",
+ "object_id": "0",
+ "sharing_group_id": "0",
+ "timestamp": "1462454963",
+ "to_ids": false,
+ "type": "domain",
+ "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16"
+ },
+ "attribute_count": 29,
+ "date": "2014-10-03",
+ "disable_correlation": false,
+ "distribution": "3",
+ "extends_uuid": "",
+ "id": "2",
+ "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "locked": false,
+ "org_id": "1",
+ "orgc": {
+ "id": "2",
+ "local": false,
+ "name": "CthulhuSPRL.be",
+ "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
+ },
+ "orgc_id": "2",
+ "proposal_email_lock": false,
+ "publish_timestamp": "1610622316",
+ "published": true,
+ "sharing_group_id": "0",
+ "threat_level_id": 2,
+ "uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ },
+ "tags": [
+ "type:OSINT",
+ "tlp:green"
+ ],
+ "threat": {
+ "feed": {
+ "name": "MISP"
+ },
+ "indicator": {
+ "marking": {
+ "tlp": [
+ "green"
+ ]
+ },
+ "provider": "misp",
+ "scanner_stats": 2,
+ "type": "domain-name",
+ "url": {
+ "domain": "whatsapp.com"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/docs/README.md b/packages/ti_misp/1.2.2/docs/README.md
new file mode 100755
index 0000000000..8988289f76
--- /dev/null
+++ b/packages/ti_misp/1.2.2/docs/README.md
@@ -0,0 +1,259 @@
+# MISP Integration
+
+The MISP integration uses the REST API from the running MISP instance to retrieve indicators and Threat Intelligence.
+
+## Logs
+
+### Threat
+
+The MISP integration configuration allows to set the polling interval, how far back it
+should look initially, and optionally any filters used to filter the results.
+
+The filters themselves are based on the [MISP API documentation](https://www.circl.lu/doc/misp/automation/#search) and should support all documented fields.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| misp.attribute.category | The category of the attribute related to the event object. For example "Network Activity". | keyword |
+| misp.attribute.comment | Comments made to the attribute itself. | keyword |
+| misp.attribute.deleted | If the attribute has been removed from the event object. | boolean |
+| misp.attribute.disable_correlation | If correlation has been enabled on the attribute related to the event object. | boolean |
+| misp.attribute.distribution | How the attribute has been distributed, represented by integer numbers. | long |
+| misp.attribute.event_id | The local event ID of the attribute related to the event. | keyword |
+| misp.attribute.id | The ID of the attribute related to the event object. | keyword |
+| misp.attribute.object_id | The ID of the Object in which the attribute is attached. | keyword |
+| misp.attribute.object_relation | The type of relation the attribute has with the event object itself. | keyword |
+| misp.attribute.sharing_group_id | The group ID of the sharing group related to the specific attribute. | keyword |
+| misp.attribute.timestamp | The timestamp in which the attribute was attached to the event object. | date |
+| misp.attribute.to_ids | If the attribute should be automatically synced with an IDS. | boolean |
+| misp.attribute.type | The type of the attribute related to the event object. For example email, ipv4, sha1 and such. | keyword |
+| misp.attribute.uuid | The UUID of the attribute related to the event. | keyword |
+| misp.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword |
+| misp.attribute_count | How many attributes are included in a single event object. | long |
+| misp.context.attribute.category | The category of the secondary attribute related to the event object. For example "Network Activity". | keyword |
+| misp.context.attribute.comment | Comments made to the secondary attribute itself. | keyword |
+| misp.context.attribute.deleted | If the secondary attribute has been removed from the event object. | boolean |
+| misp.context.attribute.disable_correlation | If correlation has been enabled on the secondary attribute related to the event object. | boolean |
+| misp.context.attribute.distribution | How the secondary attribute has been distributed, represented by integer numbers. | long |
+| misp.context.attribute.event_id | The local event ID of the secondary attribute related to the event. | keyword |
+| misp.context.attribute.first_seen | The first time the indicator was seen. | keyword |
+| misp.context.attribute.id | The ID of the secondary attribute related to the event object. | keyword |
+| misp.context.attribute.last_seen | The last time the indicator was seen. | keyword |
+| misp.context.attribute.object_id | The ID of the Object in which the secondary attribute is attached. | keyword |
+| misp.context.attribute.object_relation | The type of relation the secondary attribute has with the event object itself. | keyword |
+| misp.context.attribute.sharing_group_id | The group ID of the sharing group related to the specific secondary attribute. | keyword |
+| misp.context.attribute.timestamp | The timestamp in which the secondary attribute was attached to the event object. | date |
+| misp.context.attribute.to_ids | If the secondary attribute should be automatically synced with an IDS. | boolean |
+| misp.context.attribute.type | The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. | keyword |
+| misp.context.attribute.uuid | The UUID of the secondary attribute related to the event. | keyword |
+| misp.context.attribute.value | The value of the attribute, depending on the type like "url, sha1, email-src". | keyword |
+| misp.date | The date of when the event object was created. | date |
+| misp.disable_correlation | If correlation is disabled on the MISP event object. | boolean |
+| misp.distribution | Distribution type related to MISP. | keyword |
+| misp.extends_uuid | The UUID of the event object it might extend. | keyword |
+| misp.id | Attribute ID. | keyword |
+| misp.info | Additional text or information related to the event. | keyword |
+| misp.locked | If the current MISP event object is locked or not. | boolean |
+| misp.org.id | The organization ID related to the event object. | keyword |
+| misp.org.local | If the event object is local or from a remote source. | boolean |
+| misp.org.name | The organization name related to the event object. | keyword |
+| misp.org.uuid | The UUID of the organization related to the event object. | keyword |
+| misp.org_id | Organization ID of the event. | keyword |
+| misp.orgc.id | The Organization Community ID in which the event object was reported from. | keyword |
+| misp.orgc.local | If the Organization Community was local or synced from a remote source. | boolean |
+| misp.orgc.name | The Organization Community name in which the event object was reported from. | keyword |
+| misp.orgc.uuid | The Organization Community UUID in which the event object was reported from. | keyword |
+| misp.orgc_id | Organization Community ID of the event. | keyword |
+| misp.proposal_email_lock | Settings configured on MISP for email lock on this event object. | boolean |
+| misp.publish_timestamp | At what time the event object was published | date |
+| misp.published | When the event was published. | boolean |
+| misp.sharing_group_id | The ID of the grouped events or sources of the event. | keyword |
+| misp.threat_level_id | Threat level from 5 to 1, where 1 is the most critical. | long |
+| misp.timestamp | The timestamp of when the event object was created. | date |
+| misp.uuid | The UUID of the event object. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | | keyword |
+| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword |
+| threat.indicator.file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| threat.indicator.file.type | File type (file, dir, or symlink). | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword |
+| threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.registry.key | Hive-relative path of keys. | keyword |
+| threat.indicator.registry.value | Name of the value written. | keyword |
+| threat.indicator.scanner_stats | Count of AV/EDR vendors that successfully detected malicious file or URL. | long |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| user.email | User email address. | keyword |
+| user.roles | Array of user roles at the time of the event. | keyword |
+
+
+An example event for `threat` looks as following:
+
+```json
+{
+ "@timestamp": "2014-10-06T07:12:57.000Z",
+ "agent": {
+ "ephemeral_id": "dcc4828e-8e2d-49de-ac30-3a38de7e73da",
+ "id": "f33cbb31-3e5c-4242-8b35-d4631555523c",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_misp.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "f33cbb31-3e5c-4242-8b35-d4631555523c",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T08:58:54.124Z",
+ "dataset": "ti_misp.threat",
+ "ingested": "2022-04-11T08:58:55Z",
+ "kind": "enrichment",
+ "original": "{\"Event\":{\"Attribute\":{\"Galaxy\":[],\"ShadowAttribute\":[],\"category\":\"Network activity\",\"comment\":\"\",\"deleted\":false,\"disable_correlation\":false,\"distribution\":\"5\",\"event_id\":\"22\",\"first_seen\":null,\"id\":\"12394\",\"last_seen\":null,\"object_id\":\"0\",\"object_relation\":null,\"sharing_group_id\":\"0\",\"timestamp\":\"1462454963\",\"to_ids\":false,\"type\":\"domain\",\"uuid\":\"572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16\",\"value\":\"whatsapp.com\"},\"EventReport\":[],\"Galaxy\":[],\"Object\":[],\"Org\":{\"id\":\"1\",\"local\":true,\"name\":\"ORGNAME\",\"uuid\":\"5877549f-ea76-4b91-91fb-c72ad682b4a5\"},\"Orgc\":{\"id\":\"2\",\"local\":false,\"name\":\"CthulhuSPRL.be\",\"uuid\":\"55f6ea5f-fd34-43b8-ac1d-40cb950d210f\"},\"RelatedEvent\":[],\"ShadowAttribute\":[],\"Tag\":[{\"colour\":\"#004646\",\"exportable\":true,\"hide_tag\":false,\"id\":\"1\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"type:OSINT\",\"numerical_value\":null,\"user_id\":\"0\"},{\"colour\":\"#339900\",\"exportable\":true,\"hide_tag\":false,\"id\":\"2\",\"is_custom_galaxy\":false,\"is_galaxy\":false,\"local\":0,\"name\":\"tlp:green\",\"numerical_value\":null,\"user_id\":\"0\"}],\"analysis\":\"2\",\"attribute_count\":\"29\",\"date\":\"2014-10-03\",\"disable_correlation\":false,\"distribution\":\"3\",\"extends_uuid\":\"\",\"id\":\"2\",\"info\":\"OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks\",\"locked\":false,\"org_id\":\"1\",\"orgc_id\":\"2\",\"proposal_email_lock\":false,\"publish_timestamp\":\"1610622316\",\"published\":true,\"sharing_group_id\":\"0\",\"threat_level_id\":\"2\",\"timestamp\":\"1412579577\",\"uuid\":\"54323f2c-e50c-4268-896c-4867950d210b\"}}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "misp": {
+ "attribute": {
+ "category": "Network activity",
+ "comment": "",
+ "deleted": false,
+ "disable_correlation": false,
+ "distribution": 5,
+ "event_id": "22",
+ "id": "12394",
+ "object_id": "0",
+ "sharing_group_id": "0",
+ "timestamp": "1462454963",
+ "to_ids": false,
+ "type": "domain",
+ "uuid": "572b4ab3-1af0-4d91-9cd5-07a1c0a8ab16"
+ },
+ "attribute_count": 29,
+ "date": "2014-10-03",
+ "disable_correlation": false,
+ "distribution": "3",
+ "extends_uuid": "",
+ "id": "2",
+ "info": "OSINT New Indicators of Compromise for APT Group Nitro Uncovered blog post by Palo Alto Networks",
+ "locked": false,
+ "org_id": "1",
+ "orgc": {
+ "id": "2",
+ "local": false,
+ "name": "CthulhuSPRL.be",
+ "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
+ },
+ "orgc_id": "2",
+ "proposal_email_lock": false,
+ "publish_timestamp": "1610622316",
+ "published": true,
+ "sharing_group_id": "0",
+ "threat_level_id": 2,
+ "uuid": "54323f2c-e50c-4268-896c-4867950d210b"
+ },
+ "tags": [
+ "type:OSINT",
+ "tlp:green"
+ ],
+ "threat": {
+ "feed": {
+ "name": "MISP"
+ },
+ "indicator": {
+ "marking": {
+ "tlp": [
+ "green"
+ ]
+ },
+ "provider": "misp",
+ "scanner_stats": 2,
+ "type": "domain-name",
+ "url": {
+ "domain": "whatsapp.com"
+ }
+ }
+ }
+}
+```
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/img/misp.svg b/packages/ti_misp/1.2.2/img/misp.svg
new file mode 100755
index 0000000000..076530aa25
--- /dev/null
+++ b/packages/ti_misp/1.2.2/img/misp.svg
@@ -0,0 +1,158 @@
+
+
+
diff --git a/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json
new file mode 100755
index 0000000000..bd8d5dbf01
--- /dev/null
+++ b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877.json
@@ -0,0 +1,132 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the MISP integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n**[MISP Files (This Page)](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877)** \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":5,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":12,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":18,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":24,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-52e62840-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"12768311-834b-48d5-8aad-d17d139c2ae5\":{\"columnOrder\":[\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\"],\"columns\":{\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique TLSH\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.tlsh\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"0255894e-dd88-4eb1-b21b-0cccecb2cd1b\",\"layerId\":\"12768311-834b-48d5-8aad-d17d139c2ae5\",\"layerType\":\"data\"}},\"title\":\"Unique TLSH [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"w\":6,\"x\":30,\"y\":0},\"panelIndex\":\"b77edd3f-b171-4e61-b519-169b5aade031\",\"title\":\"Unique TLSH [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4f8c9d00-3b3a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\":{\"columnOrder\":[\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\"],\"columns\":{\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Imphash\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.pe.imphash\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"f1bdf831-1fd2-4dc8-b1f9-c6e05d93b801\",\"layerId\":\"9070dc46-c06d-4b64-a2c5-7b6d4056a14d\",\"layerType\":\"data\"}},\"title\":\"Unique Imphash [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"w\":6,\"x\":36,\"y\":0},\"panelIndex\":\"f9eb44f8-6174-4b12-a8ca-5c542687006b\",\"title\":\"Unique Imphash [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-88ef6dd0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\":{\"columnOrder\":[\"b5cdfd94-1e22-4673-8216-59aca2131761\"],\"columns\":{\"b5cdfd94-1e22-4673-8216-59aca2131761\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SSDEEP\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.ssdeep\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b5cdfd94-1e22-4673-8216-59aca2131761\",\"layerId\":\"e27d5a76-ae51-44fa-b17e-e486bbc01b56\",\"layerType\":\"data\"}},\"title\":\"Unique SSDEEP [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"w\":6,\"x\":42,\"y\":0},\"panelIndex\":\"c9d59178-9b19-4255-8098-653cb30f3d09\",\"title\":\"Unique SSDEEP [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":20,\"x\":7,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":27,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs MISP] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b77edd3f-b171-4e61-b519-169b5aade031:indexpattern-datasource-layer-12768311-834b-48d5-8aad-d17d139c2ae5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f9eb44f8-6174-4b12-a8ca-5c542687006b:indexpattern-datasource-layer-9070dc46-c06d-4b64-a2c5-7b6d4056a14d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9d59178-9b19-4255-8098-653cb30f3d09:indexpattern-datasource-layer-e27d5a76-ae51-44fa-b17e-e486bbc01b56",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json
new file mode 100755
index 0000000000..a9987e5bf9
--- /dev/null
+++ b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877.json
@@ -0,0 +1,97 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the MISP integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_misp.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[MISP Overview](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294) \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n**[MISP URLs (This Page)](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877)** \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs MISP] URLs",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json
new file mode 100755
index 0000000000..e60f8f871b
--- /dev/null
+++ b/packages/ti_misp/1.2.2/kibana/dashboard/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294.json
@@ -0,0 +1,87 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the MISP integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_misp.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"ti_misp.threat\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[MISP Overview (This Page)](/app/dashboards#/view/ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294)** \\n[MISP Files](/app/dashboards#/view/ti_misp-32d9c020-71ea-11ec-8197-5d53a5437877) \\n[MISP URLs](/app/dashboards#/view/ti_misp-399bb8d0-71ec-11ec-8197-5d53a5437877) \\n\\n[Integrations Page](/app/integrations/detail/ti_misp/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the MISP integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from MISP. \\n\\nIt shows ingestion rates and provides a few filters for drilling down to specific indicator types retrieved from MISP.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":36,\"i\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"ce31769b-ab7b-48c0-8869-bdf0c943d013\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1641204819355\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1641204843291\",\"indexPatternRefName\":\"control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":8,\"i\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"w\":26,\"x\":7,\"y\":0},\"panelIndex\":\"8fd54b49-92c1-4b90-a0c9-c1cedaa137b5\",\"title\":\"Indicator Selector [Logs MISP]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d87f35ee-570a-488b-b618-6ada39b49df4\":{\"columnOrder\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\",\"d0f21543-9576-400e-aeca-babc5407d3a7\"],\"columns\":{\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.type\"},\"d0f21543-9576-400e-aeca-babc5407d3a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"427cdedd-a93a-4f8e-93ce-f872b3809ae4\"],\"layerId\":\"d87f35ee-570a-488b-b618-6ada39b49df4\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d0f21543-9576-400e-aeca-babc5407d3a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":22,\"i\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"w\":15,\"x\":33,\"y\":0},\"panelIndex\":\"793c8c41-d3d3-4196-a0e6-aaac8bc1572b\",\"title\":\"Total Indicators per type [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0491a750-3050-47a9-bb99-c45984d3d28c\":{\"columnOrder\":[\"fb93835d-e6a1-49b4-8911-ae15b081da8a\"],\"columns\":{\"fb93835d-e6a1-49b4-8911-ae15b081da8a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"fb93835d-e6a1-49b4-8911-ae15b081da8a\",\"layerId\":\"0491a750-3050-47a9-bb99-c45984d3d28c\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"7cb42a10-64fd-454a-8669-f579fa2d0850\",\"title\":\"Total Indicators [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\":{\"columnOrder\":[\"16691165-3643-4658-bfc8-4bba834f2789\",\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"columns\":{\"16691165-3643-4658-bfc8-4bba834f2789\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"3e085a0a-8386-4f64-a629-44ae27b18878\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"},\"3e085a0a-8386-4f64-a629-44ae27b18878\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"accessors\":[\"3e085a0a-8386-4f64-a629-44ae27b18878\"],\"layerId\":\"471f2a97-fb44-41a1-a5a0-2f68b9140ef5\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"16691165-3643-4658-bfc8-4bba834f2789\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":true},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":true,\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"w\":20,\"x\":13,\"y\":8},\"panelIndex\":\"f5937489-643e-4254-819d-b1290b4b74c2\",\"title\":\"Total Indicators per Provider [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":14,\"i\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"w\":41,\"x\":7,\"y\":22},\"panelIndex\":\"77a4acf0-c56d-420f-b50b-8e5b082931c9\",\"title\":\"Indicators ingested [Logs MISP]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs MISP] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_misp-56ed8040-6c7d-11ec-9bce-f7a4dc94c294",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8fd54b49-92c1-4b90-a0c9-c1cedaa137b5:control_8fd54b49-92c1-4b90-a0c9-c1cedaa137b5_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "793c8c41-d3d3-4196-a0e6-aaac8bc1572b:indexpattern-datasource-layer-d87f35ee-570a-488b-b618-6ada39b49df4",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "7cb42a10-64fd-454a-8669-f579fa2d0850:indexpattern-datasource-layer-0491a750-3050-47a9-bb99-c45984d3d28c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f5937489-643e-4254-819d-b1290b4b74c2:indexpattern-datasource-layer-471f2a97-fb44-41a1-a5a0-2f68b9140ef5",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "77a4acf0-c56d-420f-b50b-8e5b082931c9:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "name": "tag-ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json b/packages/ti_misp/1.2.2/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json
new file mode 100755
index 0000000000..b202c82473
--- /dev/null
+++ b/packages/ti_misp/1.2.2/kibana/tag/ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "MISP"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_misp-550ba0e0-6c7d-11ec-9bce-f7a4dc94c294",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_misp/1.2.2/manifest.yml b/packages/ti_misp/1.2.2/manifest.yml
new file mode 100755
index 0000000000..e77c6f55be
--- /dev/null
+++ b/packages/ti_misp/1.2.2/manifest.yml
@@ -0,0 +1,26 @@
+name: ti_misp
+title: MISP
+version: 1.2.2
+release: ga
+description: This Elastic integration collects events from MISP
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/misp.svg
+ title: MISP
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: ti_misp
+ title: MISP
+ description: Collect threat intelligence from the MISP API.
+ inputs:
+ - type: httpjson
+ title: "Collect threat intelligence from the MISP API."
+ description: "Collect threat intelligence from the MISP API."
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_otx/1.2.2/changelog.yml b/packages/ti_otx/1.2.2/changelog.yml
new file mode 100755
index 0000000000..8534abb559
--- /dev/null
+++ b/packages/ti_otx/1.2.2/changelog.yml
@@ -0,0 +1,41 @@
+# newer versions go on top
+- version: "1.2.2"
+ changes:
+ - description: Add field mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.2.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2449
+- version: "1.1.0"
+ changes:
+ - description: Adding threat.feed fields and dashboards
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2540
+- version: "1.0.3"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.0.2"
+ changes:
+ - description: Bump minimum version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2063
+- version: "1.0.1"
+ changes:
+ - description: Update title and description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1997
+- version: "1.0.0"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1873
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_otx/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..cc8d4550c6
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,60 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Content-Type
+ value: application/json
+{{#if api_token }}
+- set:
+ target: header.X-OTX-API-KEY
+ value: {{ api_token }}
+{{/if}}
+{{#if types}}
+- set:
+ target: url.params.types
+ value: {{ types }}
+{{/if}}
+- set:
+ target: url.params.modified_since
+ value: '[[.cursor.timestamp]]'
+ default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "RFC3339" ]]'
+
+response.split:
+ target: body.results
+
+response.pagination:
+- set:
+ target: url.value
+ value: '[[ .last_response.body.next ]]'
+cursor:
+ timestamp:
+ value: '[[ formatDate (now (parseDuration "-{{ lookback_range }}")) "RFC3339" ]]'
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_otx/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..494d667a7a
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,172 @@
+---
+description: Pipeline for parsing Abuse.ch URL Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: event.ingested
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ######################
+ # General ECS fields #
+ ######################
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: otx
+ - fingerprint:
+ fields:
+ - otx.id
+ target_field: "_id"
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ ## File indicator operations
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.otx?.type.startsWith('FileHash') || ctx.otx?.type == 'filepath'"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.md5
+ ignore_missing: true
+ if: "ctx.otx?.type == 'FileHash-MD5'"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.sha1
+ ignore_missing: true
+ if: "ctx.otx?.type == 'FileHash-SHA1'"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.sha256
+ ignore_missing: true
+ if: "ctx.otx?.type == 'FileHash-SHA256'"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.pehash
+ ignore_missing: true
+ if: "ctx.otx?.type == 'FileHash-PEHASH'"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.file.hash.imphash
+ ignore_missing: true
+ if: "ctx.otx?.type == 'FileHash-IMPHASH'"
+
+ ## IP indicator operations
+ - set:
+ field: threat.indicator.type
+ value: ipv4-addr
+ if: ctx.otx?.type == 'IPv4'
+ - set:
+ field: threat.indicator.type
+ value: ipv6-addr
+ if: ctx.otx?.type == 'IPv6'
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.ip
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type != null && ['ipv4-addr', 'ipv6-addr'].contains(ctx.threat?.indicator?.type)"
+
+ ## URL indicator operations
+ - set:
+ field: threat.indicator.type
+ value: url
+ if: "ctx.threat?.indicator?.type == null && ['URL', 'URI'].contains(ctx.otx?.type)"
+ - uri_parts:
+ field: otx.indicator
+ target_field: threat.indicator.url
+ keep_original: true
+ remove_if_successful: true
+ if: ctx.threat?.indicator?.type == 'url'
+ - set:
+ field: threat.indicator.url.full
+ value: "{{{threat.indicator.url.original}}}"
+ ignore_empty_value: true
+ if: "ctx.otx?.type == 'URL'"
+
+ ## Email indicator operations
+ - set:
+ field: threat.indicator.type
+ value: email-addr
+ if: ctx.otx?.type == 'email'
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.email.address
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'email-addr'"
+
+ ## Domain indicator operations
+ - set:
+ field: threat.indicator.type
+ value: domain-name
+ if: "ctx.threat?.indicator?.type == null && ['domain', 'hostname'].contains(ctx.otx?.type)"
+ - rename:
+ field: otx.indicator
+ target_field: threat.indicator.url.domain
+ ignore_missing: true
+ if: "ctx.threat?.indicator?.type == 'domain-name' && ctx.threat?.indicator?.url?.domain == null"
+
+ ######################
+ # Cleanup processors #
+ ######################
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx.otx != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field:
+ - otx.content
+ ignore_missing: true
+ if: ctx.otx?.content == ""
+ - remove:
+ field:
+ - otx.type
+ - otx.id
+ - message
+ ignore_missing: true
+ if: ctx.threat?.indicator?.type != null
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/fields/agent.yml b/packages/ti_otx/1.2.2/data_stream/threat/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/fields/base-fields.yml b/packages/ti_otx/1.2.2/data_stream/threat/fields/base-fields.yml
new file mode 100755
index 0000000000..5b27b27cf8
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_otx
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: Alienvault OTX
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_otx.threat
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/fields/beats.yml b/packages/ti_otx/1.2.2/data_stream/threat/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/fields/ecs.yml b/packages/ti_otx/1.2.2/data_stream/threat/fields/ecs.yml
new file mode 100755
index 0000000000..b1e87e820e
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,153 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: File type (file, dir, or symlink).
+ name: threat.indicator.file.type
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: |-
+ A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values.
+ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
+ name: threat.indicator.file.pe.imphash
+ type: keyword
+- description: The file's pehash, if available.
+ name: threat.indicator.file.hash.pehash
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/fields/fields.yml b/packages/ti_otx/1.2.2/data_stream/threat/fields/fields.yml
new file mode 100755
index 0000000000..ee3a603aad
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/fields/fields.yml
@@ -0,0 +1,36 @@
+- name: otx
+ type: group
+ description: >
+ Fields for OTX Threat Intel
+
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ The ID of the indicator.
+
+ - name: indicator
+ type: keyword
+ description: >
+ The value of the indicator, for example if the type is domain, this would be the value.
+
+ - name: description
+ type: keyword
+ description: >
+ A description of the indicator.
+
+ - name: title
+ type: keyword
+ description: >
+ Title describing the indicator.
+
+ - name: content
+ type: keyword
+ description: >
+ Extra text or descriptive content related to the indicator.
+
+ - name: type
+ type: keyword
+ description: >
+ The indicator type, can for example be "domain, email, FileHash-SHA256".
+
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/manifest.yml b/packages/ti_otx/1.2.2/data_stream/threat/manifest.yml
new file mode 100755
index 0000000000..4bfd942d44
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/manifest.yml
@@ -0,0 +1,98 @@
+type: logs
+title: Alienvault OTX logs
+streams:
+ - input: httpjson
+ vars:
+ - name: url
+ type: text
+ title: Alienvault OTX API endpoint
+ multi: false
+ required: true
+ show_user: false
+ default: https://otx.alienvault.com/api/v1/indicators/export
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 5m
+ - name: api_token
+ type: text
+ title: API Token
+ multi: false
+ required: true
+ show_user: true
+ description: The Alienvault OTX API token
+ - name: first_interval
+ type: text
+ title: First Interval
+ multi: false
+ required: true
+ show_user: false
+ description: Configures how far back in time the agent should retrieve data from the API in hours.
+ default: 400h
+ - name: lookback_range
+ type: text
+ title: Lookback Range
+ multi: false
+ required: true
+ show_user: false
+ description: How many hours to look back for each request, should not be smaller than the interval (default 5m).
+ default: 1h
+ - name: types
+ type: text
+ title: Filter on indicator types
+ multi: false
+ required: false
+ show_user: false
+ description: "A comma separated list of indicator types to retrieve, example: 'domain,IPv4,hostname,url,FileHash-SHA256'"
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - otx-threat
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Alienvault OTX logs
+ description: Collect Alienvault OTX logs
diff --git a/packages/ti_otx/1.2.2/data_stream/threat/sample_event.json b/packages/ti_otx/1.2.2/data_stream/threat/sample_event.json
new file mode 100755
index 0000000000..4bc1007633
--- /dev/null
+++ b/packages/ti_otx/1.2.2/data_stream/threat/sample_event.json
@@ -0,0 +1,50 @@
+{
+ "@timestamp": "2022-04-11T09:14:18.594Z",
+ "agent": {
+ "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee",
+ "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_otx.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T09:14:18.594Z",
+ "dataset": "ti_otx.threat",
+ "ingested": "2022-04-11T09:14:19Z",
+ "kind": "enrichment",
+ "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "otx": {},
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "otx-threat"
+ ],
+ "threat": {
+ "indicator": {
+ "type": "domain-name",
+ "url": {
+ "domain": "info.3000uc.com"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/docs/README.md b/packages/ti_otx/1.2.2/docs/README.md
new file mode 100755
index 0000000000..f8af7ebce9
--- /dev/null
+++ b/packages/ti_otx/1.2.2/docs/README.md
@@ -0,0 +1,153 @@
+# Alienvault OTX Integration
+
+This integration is for Alienvault OTX. It retrieves indicators for all pulses subscribed to a specific user account on OTX
+
+## Configuration
+
+To use this package, it is required to have an account on [Alienvault OTX](https://otx.alienvault.com/). Once an account has been created, and at least 1 pulse has been subscribed to, the API key can be retrieved from your [user profile dashboard](https://otx.alienvault.com/api). In the top right corner there should be an OTX KEY.
+
+## Logs
+
+### Threat
+
+Retrieves all the related indicators over time, related to your pulse subscriptions on OTX.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| otx.content | Extra text or descriptive content related to the indicator. | keyword |
+| otx.description | A description of the indicator. | keyword |
+| otx.id | The ID of the indicator. | keyword |
+| otx.indicator | The value of the indicator, for example if the type is domain, this would be the value. | keyword |
+| otx.title | Title describing the indicator. | keyword |
+| otx.type | The indicator type, can for example be "domain, email, FileHash-SHA256". | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.pehash | The file's pehash, if available. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword |
+| threat.indicator.file.type | File type (file, dir, or symlink). | keyword |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+
+
+An example event for `threat` looks as following:
+
+```json
+{
+ "@timestamp": "2022-04-11T09:14:18.594Z",
+ "agent": {
+ "ephemeral_id": "26518763-fc35-4393-a414-ab320e780eee",
+ "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_otx.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "93ca38c5-fdea-4af2-acab-27edbc2b3434",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T09:14:18.594Z",
+ "dataset": "ti_otx.threat",
+ "ingested": "2022-04-11T09:14:19Z",
+ "kind": "enrichment",
+ "original": "{\"content\":\"\",\"description\":null,\"id\":1251,\"indicator\":\"info.3000uc.com\",\"title\":null,\"type\":\"hostname\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "otx": {},
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "otx-threat"
+ ],
+ "threat": {
+ "indicator": {
+ "type": "domain-name",
+ "url": {
+ "domain": "info.3000uc.com"
+ }
+ }
+ }
+}
+```
diff --git a/packages/ti_otx/1.2.2/img/otx.svg b/packages/ti_otx/1.2.2/img/otx.svg
new file mode 100755
index 0000000000..ac96edd1d8
--- /dev/null
+++ b/packages/ti_otx/1.2.2/img/otx.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json
new file mode 100755
index 0000000000..57b0284421
--- /dev/null
+++ b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b.json
@@ -0,0 +1,102 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the Alienvault OTX integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[OTX Overview (This Page)](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the Alienvault OTX integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from Alienvault OTX. \\n\\nThe ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from Alienvault OTX.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":31,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"event.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":29,\"x\":7,\"y\":7},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":23},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":13,\"y\":23},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs OTX] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json
new file mode 100755
index 0000000000..07df8ecd9e
--- /dev/null
+++ b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the Alienvault OTX integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX Files (This Page)](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b)** \\n[OTX URLs](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b) \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":35,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":21,\"x\":22,\"y\":0},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":7,\"y\":8},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":13,\"y\":8},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"b8c9d8e0-3bb8-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"118b51de-bd55-4ed6-b916-c939ad73b2c3\":{\"columnOrder\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\",\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\"],\"columns\":{\"1ada77b6-5741-44ff-a00d-4653fca22f84\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top Countries\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.geo.country_iso_code\"},\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Countries\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ada77b6-5741-44ff-a00d-4653fca22f84\"],\"layerId\":\"118b51de-bd55-4ed6-b916-c939ad73b2c3\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"dcc2a7b9-e44b-4681-ba02-bdea442ca9a5\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"Top Countries [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"w\":20,\"x\":7,\"y\":16},\"panelIndex\":\"6189e979-9121-4247-9942-fa7a3cc3839c\",\"title\":\"Top Countries [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":27,\"y\":16},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs OTX] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6189e979-9121-4247-9942-fa7a3cc3839c:indexpattern-datasource-layer-118b51de-bd55-4ed6-b916-c939ad73b2c3",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json
new file mode 100755
index 0000000000..d6094d2b40
--- /dev/null
+++ b/packages/ti_otx/1.2.2/kibana/dashboard/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b.json
@@ -0,0 +1,97 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the Alienvault OTX integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_otx.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_otx.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[OTX Overview](/app/dashboards#/view/ti_otx-7da241a0-71f3-11ec-9910-d1ceb8a1734b) \\n[OTX Files](/app/dashboards#/view/ti_otx-83b01770-71f3-11ec-9910-d1ceb8a1734b) \\n**[OTX URLs (This Page)](/app/dashboards#/view/ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b)** \\n\\n[Integrations Page](/app/integrations/detail/ti_otx/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs OTX]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs OTX]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs OTX] URLs",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_otx-8957ff80-71f3-11ec-9910-d1ceb8a1734b",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "name": "tag-ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json b/packages/ti_otx/1.2.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json
new file mode 100755
index 0000000000..31f9238c67
--- /dev/null
+++ b/packages/ti_otx/1.2.2/kibana/tag/ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "OTX"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_otx-6bc35230-71fd-11ec-9910-d1ceb8a1734b",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_otx/1.2.2/manifest.yml b/packages/ti_otx/1.2.2/manifest.yml
new file mode 100755
index 0000000000..0abe4dc6bd
--- /dev/null
+++ b/packages/ti_otx/1.2.2/manifest.yml
@@ -0,0 +1,26 @@
+name: ti_otx
+title: AlienVault OTX
+version: 1.2.2
+release: ga
+description: Collect threat intelligence from AlienVault OTX with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/otx.svg
+ title: Alienvault OTX
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: ti_otx
+ title: Alienvault OTX
+ description: Collect threat intelligence from the Alienvault OTX
+ inputs:
+ - type: httpjson
+ title: "Collect ALienvault OTX logs via API"
+ description: "Collect Alienvault OTX logs via API"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_recordedfuture/0.1.2/changelog.yml b/packages/ti_recordedfuture/0.1.2/changelog.yml
new file mode 100755
index 0000000000..a4bcae0216
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/changelog.yml
@@ -0,0 +1,16 @@
+# newer versions go on top
+- version: "0.1.2"
+ changes:
+ - description: Add field mapping for event.created
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "0.1.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "0.1.0"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2757
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..1e7156ac8c
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,33 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+{{#if custom_url}}
+request.url: "{{ custom_url }}"
+{{else}}
+request.url: "{{ endpoint }}/{{ entity }}/risklist?format=csv/splunk&gzip=false&list={{ list }}"
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+request.transforms:
+{{#if api_token}}
+- set:
+ target: header.X-RFToken
+ value: {{ api_token }}
+{{/if}}
+response.decode_as: text/csv
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/logfile.yml.hbs b/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/logfile.yml.hbs
new file mode 100755
index 0000000000..f2c693bdde
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/agent/stream/logfile.yml.hbs
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+ - add_locale: ~
\ No newline at end of file
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml
new file mode 100755
index 0000000000..86c06b7a1d
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml
@@ -0,0 +1,43 @@
+---
+description: Pipeline to decode CSV risklists from Recorded Future threat intel.
+processors:
+ - csv:
+ field: event.original
+ target_fields:
+ - _tmp_.col0
+ - _tmp_.col1
+ - _tmp_.col2
+ - _tmp_.col3
+ - _tmp_.col4
+ - drop:
+ description: 'Drops the CSV header line.'
+ if: 'ctx._tmp_.col0 == "Name"'
+
+# This supports the default CSV risklists:
+# 4-column for url, domain and IPs.
+# 5-column for hash.
+ - script:
+ description: Maps the CSV entries to fields.
+ lang: painless
+ params:
+ default:
+ col0: Name
+ col1: Risk
+ col2: RiskString
+ col3: EvidenceDetails
+ hash:
+ col0: Name
+ col1: Algorithm
+ col2: Risk
+ col3: RiskString
+ col4: EvidenceDetails
+ source: >
+ def cols = params[ ctx._tmp_.col4 == null? "default" : "hash" ];
+ def src = ctx._tmp_;
+ def dst = new HashMap();
+ for (entry in cols.entrySet()) {
+ dst[entry.getValue()] = src[entry.getKey()];
+ }
+ ctx['json'] = dst;
+ - remove:
+ field: _tmp_
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..2c2ec01047
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,212 @@
+---
+description: Pipeline for parsing Recorded Future threat intel.
+processors:
+#
+# Set basic ECS fields.
+#
+ - set:
+ field: ecs.version
+ value: "8.0"
+ - set:
+ field: event.dataset
+ value: "ti_recordedfuture.threat"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+ - set:
+ field: threat.feed.name
+ value: "Recorded Future"
+#
+# TODO: Add dashboard
+#
+# - set:
+# field: threat.feed.dashboard_id
+# value: "recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf"
+
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+
+#
+# Decode event.original as JSON if it starts with the "{" character.
+# This is the common case when events are ingested from the API, as httpjson
+# transforms the CSV to a JSON message.
+#
+ - json:
+ field: event.original
+ target_field: json
+ if: 'ctx.event?.original != null && ctx.event.original.startsWith("{")'
+ on_failure:
+ - fail:
+ message: "Failed decoding message field as JSON: {{{ _ingest.on_failure_message }}}"
+
+#
+# Decode event.original as CSV when the above processor didn't execute.
+# This is used when ingesting CSV lines from a file.
+#
+ - pipeline:
+ name: '{{ IngestPipeline "decode_csv" }}'
+ if: 'ctx.json == null'
+ on_failure:
+ - fail:
+ message: "Failed decoding message field as CSV: {{{ _ingest.on_failure_message }}}"
+
+#
+# Decode EvidenceDetails column as JSON.
+#
+ - json:
+ field: json.EvidenceDetails
+ target_field: _temp_.EvidenceDetails
+ ignore_failure: true
+
+ - rename:
+ field: _temp_.EvidenceDetails.EvidenceDetails
+ target_field: json.evidence_details
+ ignore_missing: true
+
+#
+# Hash indicators (threat.indicator.type=file)
+# As risklist indicators don't have a "type" field, it's necessary
+# to detect the kind of indicator in the Name field.
+#
+# An indicator is of type `hash` when the Algorithm field is present.
+#
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: 'ctx.json.Algorithm != null'
+ - script:
+ lang: painless
+ description: >
+ Map file hashes.
+ if: "ctx.json.Algorithm != null"
+ params:
+ MD5: md5
+ SHA-1: sha1
+ SHA-256: sha256
+ SHA-384: sha384
+ SHA-512: sha512
+ source: >-
+ def key = params[ctx.json.Algorithm];
+ if (key == null) {
+ throw new Exception("Unsupported hash algorithm '" + ctx.json.Algorithm + "'");
+ }
+ def hashes = [key:ctx.json.Name];
+ ctx["_hashes"] = hashes;
+ on_failure:
+ - append:
+ field: error.message
+ value: "Failed to map fileHashes field: {{{ _ingest.on_failure_message }}}"
+ - rename:
+ field: _hashes
+ target_field: threat.indicator.file.hash
+ ignore_missing: true
+
+#
+# IP indicators (threat.indicator.type=ipvN-addr)
+#
+# An indicator is of type `ip` if Name is a valid IP address.
+#
+ - convert:
+ field: json.Name
+ target_field: threat.indicator.ip
+ type: ip
+ ignore_failure: true
+ if: 'ctx.threat?.indicator?.type == null'
+ - set:
+ field: threat.indicator.type
+ value: ipv4-addr
+ if: 'ctx.threat?.indicator?.ip != null && !ctx.threat.indicator.ip.contains(":")'
+ - set:
+ field: threat.indicator.type
+ value: ipv6-addr
+ if: 'ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip.contains(":")'
+
+#
+# URL indicators (threat.indicator.type=url)
+# An indicator is of type `url` if Name contains a slash character.
+#
+ - set:
+ field: threat.indicator.type
+ value: url
+ if: 'ctx.threat?.indicator?.type == null && ctx.json.Name.contains("/")'
+ - uri_parts:
+ field: json.Name
+ target_field: threat.indicator.url
+ keep_original: true
+ if: 'ctx.threat?.indicator?.type == "url"'
+#
+# Domain indicators (threat.indicator.type=domain)
+# This is a catch-all type.
+#
+ - set:
+ field: threat.indicator.type
+ value: domain-name
+ if: 'ctx.threat?.indicator?.type == null'
+ - set:
+ field: threat.indicator.url.domain
+ value: '{{{ json.Name }}}'
+ ignore_empty_value: true
+ if: 'ctx.threat?.indicator?.type == "domain-name" && ctx.threat?.indicator?.url?.domain == null'
+
+#
+# Normalize Risk
+#
+ - convert:
+ field: json.Risk
+ target_field: event.risk_score
+ ignore_missing: true
+ type: float
+ on_failure:
+ - append:
+ field: error.message
+ value: "Risk score `{{{ json.Risk }}}` cannot be converted to float: {{{ _ingest.on_failure_message }}}"
+
+#
+# Fingerprint event: _id = hash(dataset + indicator type + indicator value)
+#
+ - fingerprint:
+ fields:
+ - event.dataset
+ - threat.indicator.type
+ - json.Name
+ target_field: "_id"
+
+#
+# Save fields without an ECS mapping under `recordedfuture`.
+#
+ - rename:
+ field: json.RiskString
+ target_field: json.risk_string
+ ignore_missing: true
+ - rename:
+ field: json
+ target_field: recordedfuture
+
+#
+# Cleanup
+#
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - remove:
+ field:
+ - recordedfuture.Algorithm
+ - recordedfuture.EvidenceDetails
+ - recordedfuture.Name
+ - recordedfuture.Risk
+ - _temp_
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/agent.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/base-fields.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/base-fields.yml
new file mode 100755
index 0000000000..1fbc652b8a
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,31 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_recordedfuture
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_recordedfuture.threat
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: Recorded Future
+#
+# TODO: Add dashboard
+#
+#- name: threat.feed.dashboard_id
+# type: constant_keyword
+# description: Dashboard ID used for Kibana CTI UI
+# value: recordedfuture-96fe1e60-4261-11ec-b7be-d3026acdf1cf
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/beats.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/ecs.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/ecs.yml
new file mode 100755
index 0000000000..1a807ca505
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,191 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: SHA512 hash.
+ name: threat.indicator.file.hash.sha512
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: |-
+ Traffic Light Protocol sharing markings.
+ Recommended values are:
+ * WHITE
+ * GREEN
+ * AMBER
+ * RED
+ name: threat.indicator.marking.tlp
+ type: keyword
+- description: |-
+ Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+ Expected values are:
+ * Not Specified
+ * None
+ * Low
+ * Medium
+ * High
+ name: threat.indicator.confidence
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: threat.indicator.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.as.organization.name
+ type: keyword
+- description: Longitude and latitude.
+ name: threat.indicator.geo.location.lat
+ type: geo_point
+- description: Longitude and latitude.
+ name: threat.indicator.geo.location.lon
+ type: geo_point
+- description: Country ISO code.
+ name: threat.indicator.geo.country_iso_code
+ type: keyword
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/fields.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/fields.yml
new file mode 100755
index 0000000000..a81fd75d00
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/fields/fields.yml
@@ -0,0 +1,21 @@
+- name: recordedfuture
+ type: group
+ description: >
+ Fields for Recorded Future Threat Intel
+
+ fields:
+ - name: evidence_details
+ type: flattened
+ description: >
+ List of sightings used as evidence for this indicator.
+
+ - name: name
+ type: keyword
+ description: >
+ Indicator value.
+
+ - name: risk_string
+ type: keyword
+ description: >
+ Details of risk rules observed.
+
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/manifest.yml b/packages/ti_recordedfuture/0.1.2/data_stream/threat/manifest.yml
new file mode 100755
index 0000000000..dfc711d668
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/manifest.yml
@@ -0,0 +1,125 @@
+type: logs
+title: Recorded Future
+streams:
+ - input: logfile
+ enabled: false
+ template_path: logfile.yml.hbs
+ title: Recorded Future CSV file
+ description: Reads indicators from a Recorded Future CSV file.
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - recordedfuture
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: httpjson
+ template_path: httpjson.yml.hbs
+ title: Recorded Future risklist
+ description: Receives indicators from Recorded Future risklist endpoints.
+ vars:
+ - name: entity
+ type: text
+ title: Entity
+ description: The type of entity to fetch. One of domain, hash, ip or url.
+ multi: false
+ required: true
+ show_user: true
+ default: domain
+ - name: list
+ type: text
+ title: List
+ description: List to fetch for the given entity.
+ default: default
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval between risklist downloads.
+ description: Use Go Duration syntax (eg. 1h)
+ default: "1h"
+ multi: false
+ required: true
+ show_user: true
+ - name: api_token
+ type: text
+ title: API Token
+ description: Recorded Future API Token (RF_TOKEN).
+ multi: false
+ required: true
+ show_user: true
+ - name: custom_url
+ type: url
+ title: Custom URL
+ description: URL to download a custom Fusion File.
+ multi: false
+ required: false
+ show_user: false
+ - name: endpoint
+ type: url
+ title: API Endpoint
+ description: Base API URL.
+ multi: false
+ required: true
+ show_user: false
+ default: https://api.recordedfuture.com/v2
+ - name: proxy_url
+ type: url
+ title: Proxy URL
+ description: Optional proxy server to use.
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - recordedfuture
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/ti_recordedfuture/0.1.2/data_stream/threat/sample_event.json b/packages/ti_recordedfuture/0.1.2/data_stream/threat/sample_event.json
new file mode 100755
index 0000000000..b26841f9b8
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/data_stream/threat/sample_event.json
@@ -0,0 +1,110 @@
+{
+ "@timestamp": "2022-04-11T09:21:48.260Z",
+ "agent": {
+ "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0",
+ "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_recordedfuture.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0"
+ },
+ "elastic_agent": {
+ "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "dataset": "ti_recordedfuture.threat",
+ "ingested": "2022-04-11T09:21:49Z",
+ "kind": "enrichment",
+ "risk_score": 87,
+ "timezone": "+00:00",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "log"
+ },
+ "log": {
+ "file": {
+ "path": "/tmp/service_logs/rf_url_default.csv"
+ },
+ "offset": 45
+ },
+ "recordedfuture": {
+ "evidence_details": [
+ {
+ "Criticality": 1,
+ "CriticalityLabel": "Unusual",
+ "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/",
+ "MitigationString": "",
+ "Name": "defangedURL",
+ "Rule": "Historically Reported as a Defanged URL",
+ "Sources": [
+ "Ctq",
+ "idn:fook.news",
+ "idn:urdupresss.com",
+ "POs2u-",
+ "idn:apple.news",
+ "idn:cryptoinfoos.com.ng",
+ "g9rk5F",
+ "idn:thewindowsupdate.com",
+ "idn:nationalcybersecuritynews.today",
+ "gBDK5G",
+ "idn:microsoft.com",
+ "idn:techsecuritenews.com",
+ "idn:mblogs.info",
+ "J6UzbO",
+ "idn:viralamo.com",
+ "idn:sellorbuyhomefast.com",
+ "idn:crazyboy.tech",
+ "idn:times24h.com",
+ "idn:buzzfeeg.com",
+ "idn:dsmenders.com",
+ "WroSbs",
+ "idn:vzonetvgh.com"
+ ],
+ "Timestamp": "2021-07-20T00:00:00.000Z"
+ },
+ {
+ "Criticality": 3,
+ "CriticalityLabel": "Malicious",
+ "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd",
+ "MitigationString": "",
+ "Name": "recentAnalystNote",
+ "Rule": "Recently Reported by Insikt Group",
+ "Sources": [
+ "VKz42X"
+ ],
+ "Timestamp": "2021-07-10T00:00:00.000Z"
+ }
+ ],
+ "risk_string": "2/24"
+ },
+ "tags": [
+ "forwarded",
+ "recordedfuture"
+ ],
+ "threat": {
+ "feed": {
+ "name": "Recorded Future"
+ },
+ "indicator": {
+ "type": "url",
+ "url": {
+ "domain": "144.34.179.162",
+ "original": "http://144.34.179.162/a",
+ "path": "/a",
+ "scheme": "http"
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_recordedfuture/0.1.2/docs/README.md b/packages/ti_recordedfuture/0.1.2/docs/README.md
new file mode 100755
index 0000000000..b6d3fb5301
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/docs/README.md
@@ -0,0 +1,215 @@
+# Recorded Future Integration
+
+The Recorded Future integration fetches _risklists_ from the Recorded Future API.
+It supports `domain`, `hash`, `ip` and `url` entities.
+
+In order to use it you need to define the `entity` and `list` to fetch. Check with
+Recorded Future for the available lists for each entity. To fetch indicators
+from multiple entities, it's necessary to define one integration for each.
+
+Alternatively, it's also possible to use the integration to fetch custom Fusion files
+by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option.
+
+An example event for `threat` looks as following:
+
+```json
+{
+ "@timestamp": "2022-04-11T09:21:48.260Z",
+ "agent": {
+ "ephemeral_id": "b69c55be-abc6-4a16-900f-986a2cc693a0",
+ "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_recordedfuture.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0"
+ },
+ "elastic_agent": {
+ "id": "967e40bc-86fa-4632-b571-afd40cfbcb8a",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "dataset": "ti_recordedfuture.threat",
+ "ingested": "2022-04-11T09:21:49Z",
+ "kind": "enrichment",
+ "risk_score": 87,
+ "timezone": "+00:00",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "log"
+ },
+ "log": {
+ "file": {
+ "path": "/tmp/service_logs/rf_url_default.csv"
+ },
+ "offset": 45
+ },
+ "recordedfuture": {
+ "evidence_details": [
+ {
+ "Criticality": 1,
+ "CriticalityLabel": "Unusual",
+ "EvidenceString": "66 sightings on 22 sources including: Ars Technica, fook.news, urdupresss.com, HackDig Posts, apple.news. Most recent link (Jul 20, 2021): https://techsecuritenews.com/solarwinds-pirates-utilisent-nouvelle-faille-zero-day-attaques/",
+ "MitigationString": "",
+ "Name": "defangedURL",
+ "Rule": "Historically Reported as a Defanged URL",
+ "Sources": [
+ "Ctq",
+ "idn:fook.news",
+ "idn:urdupresss.com",
+ "POs2u-",
+ "idn:apple.news",
+ "idn:cryptoinfoos.com.ng",
+ "g9rk5F",
+ "idn:thewindowsupdate.com",
+ "idn:nationalcybersecuritynews.today",
+ "gBDK5G",
+ "idn:microsoft.com",
+ "idn:techsecuritenews.com",
+ "idn:mblogs.info",
+ "J6UzbO",
+ "idn:viralamo.com",
+ "idn:sellorbuyhomefast.com",
+ "idn:crazyboy.tech",
+ "idn:times24h.com",
+ "idn:buzzfeeg.com",
+ "idn:dsmenders.com",
+ "WroSbs",
+ "idn:vzonetvgh.com"
+ ],
+ "Timestamp": "2021-07-20T00:00:00.000Z"
+ },
+ {
+ "Criticality": 3,
+ "CriticalityLabel": "Malicious",
+ "EvidenceString": "1 sighting on 1 source: Insikt Group. 1 report: SolarWinds Fixes Critical Vulnerability in Serv-U Managed File Transfer and Secure FTP Products. Most recent link (Jul 10, 2021): https://app.recordedfuture.com/live/sc/1GnDrn8zigTd",
+ "MitigationString": "",
+ "Name": "recentAnalystNote",
+ "Rule": "Recently Reported by Insikt Group",
+ "Sources": [
+ "VKz42X"
+ ],
+ "Timestamp": "2021-07-10T00:00:00.000Z"
+ }
+ ],
+ "risk_string": "2/24"
+ },
+ "tags": [
+ "forwarded",
+ "recordedfuture"
+ ],
+ "threat": {
+ "feed": {
+ "name": "Recorded Future"
+ },
+ "indicator": {
+ "type": "url",
+ "url": {
+ "domain": "144.34.179.162",
+ "original": "http://144.34.179.162/a",
+ "path": "/a",
+ "scheme": "http"
+ }
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| recordedfuture.evidence_details | List of sightings used as evidence for this indicator. | flattened |
+| recordedfuture.name | Indicator value. | keyword |
+| recordedfuture.risk_string | Details of risk rules observed. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.name | Display friendly feed name | constant_keyword |
+| threat.indicator.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| threat.indicator.as.organization.name | Organization name. | keyword |
+| threat.indicator.as.organization.name.text | Multi-field of `threat.indicator.as.organization.name`. | match_only_text |
+| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.geo.country_iso_code | Country ISO code. | keyword |
+| threat.indicator.geo.location.lat | Longitude and latitude. | geo_point |
+| threat.indicator.geo.location.lon | Longitude and latitude. | geo_point |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+
diff --git a/packages/ti_recordedfuture/0.1.2/img/logo.svg b/packages/ti_recordedfuture/0.1.2/img/logo.svg
new file mode 100755
index 0000000000..9bb0517562
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/img/logo.svg
@@ -0,0 +1,21 @@
+
+
+
diff --git a/packages/ti_recordedfuture/0.1.2/manifest.yml b/packages/ti_recordedfuture/0.1.2/manifest.yml
new file mode 100755
index 0000000000..c97fd6fcd6
--- /dev/null
+++ b/packages/ti_recordedfuture/0.1.2/manifest.yml
@@ -0,0 +1,29 @@
+name: ti_recordedfuture
+title: Recorded Future
+version: 0.1.2
+release: beta
+description: Collect threat intelligence from Recorded Future with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/logo.svg
+ title: Recorded Future
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: ti_recordedfuture
+ title: Recorded Future
+ description: Collect threat intelligence from Recorded Future.
+ inputs:
+ - type: httpjson
+ title: "Collect threat intelligence from Recorded Future risklists API."
+ description: "Use RecordedFuture API to fetch a risklist"
+ - type: logfile
+ title: "Collect threat intelligence from CSV file."
+ description: "Load indicators from a CSV file"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/ti_threatq/1.2.2/changelog.yml b/packages/ti_threatq/1.2.2/changelog.yml
new file mode 100755
index 0000000000..c22007ca9e
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/changelog.yml
@@ -0,0 +1,36 @@
+# newer versions go on top
+- version: "1.2.2"
+ changes:
+ - description: Add event.created field mapping
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3042
+- version: "1.2.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2450
+- version: "1.1.0"
+ changes:
+ - description: Add threat.feed ECS fields and dashboard
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2543
+- version: "1.0.2"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.0.1"
+ changes:
+ - description: Bumping minimum version
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2063
+- version: "1.0.0"
+ changes:
+ - description: Initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1946
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs b/packages/ti_threatq/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..f03799a9c9
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,56 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+
+auth.oauth2:
+ client.id: {{client_id}}
+ client.secret: {{client_secret}}
+ token_url: {{token_url}}
+
+request.url: {{host}}/api/indicators/query/hash/{{data_collection_id}}
+
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+request.transforms:
+- set:
+ target: url.params.sort
+ value: updated_at
+- set:
+ target: url.params.limit
+ value: 100
+- set:
+ target: url.params.cursorMark
+ value: '[[.cursor.cursor_mark]]'
+ default: "*"
+cursor:
+ cursor_mark:
+ ignore_empty_value: true
+ value: '[[.last_response.body.nextCursorMark]]'
+response.request_body_on_pagination: true
+
+response.split:
+ target: body.data
+ fail_on_template_error: true
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_threatq/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..be43fea36b
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,344 @@
+---
+description: Pipeline for parsing ThreatQ Threat Intel
+processors:
+ ####################
+ # Event ECS fields #
+ ####################
+ - set:
+ field: event.ingested
+ value: "{{_ingest.timestamp}}"
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - set:
+ field: event.kind
+ value: enrichment
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: indicator
+
+ ###############
+ # Parse dates #
+ ###############
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - fingerprint:
+ fields:
+ - json.id
+ - json.indicator_id
+ target_field: "_id"
+ ignore_missing: true
+ - date:
+ target_field: "@timestamp"
+ field: "json.updated_at"
+ formats:
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.json.updated_at != null"
+ ignore_failure: true
+ - date:
+ target_field: "threatq.created_at"
+ field: "json.created_at"
+ formats:
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.json.created_at != null"
+ ignore_failure: true
+ - date:
+ target_field: "threatq.expires_at"
+ field: "json.expires_at"
+ formats:
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.json.expires_at != null"
+ ignore_failure: true
+ - date:
+ target_field: "threatq.expires_calculated_at"
+ field: "json.expires_calculated_at"
+ formats:
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.json.expires_calculated_at != null"
+ ignore_failure: true
+ - date:
+ target_field: "threatq.published_at"
+ field: "json.published_at"
+ formats:
+ - "yyyy-MM-dd HH:mm:ss"
+ if: "ctx.json.published_at != null"
+ ignore_failure: true
+
+ #####################
+ # Threat ECS Fields #
+ #####################
+ - rename:
+ field: json.type.name
+ target_field: threat.indicator.type
+ ignore_missing: true
+ - rename:
+ field: json.description
+ target_field: threat.indicator.description
+ ignore_missing: true
+ - script:
+ lang: painless
+ if: ctx.json?.score != null
+ description: >
+ Normalize confidence level.
+ source: >
+ def value = ctx.json.score;
+ if (value <= 0.0 || value > 100.0) {
+ ctx.threat.indicator.confidence = "None";
+ return;
+ }
+ if (value >= 1.0 && value <= 29.0) {
+ ctx.threat.indicator.confidence = "Low";
+ return;
+ }
+ if (value >= 30.0 && value <= 69.0) {
+ ctx.threat.indicator.confidence = "Med";
+ return;
+ }
+ if (value >= 70 && value <= 100) {
+ ctx.threat.indicator.confidence = "High";
+ return;
+ }
+ - rename:
+ field: json.status.name
+ target_field: threatq.status
+ ignore_missing: true
+ - rename:
+ field: json.value
+ target_field: threatq.indicator_value
+ ignore_missing: true
+
+ #########################################
+ # Map indicator types and values to ECS #
+ #########################################
+
+ # Indicator type: Email Address
+ - set:
+ field: threat.indicator.email.address
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: email-addr
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'Email Address'"
+
+ # Indicator type: FQDN
+ - set:
+ field: threat.indicator.domain
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: domain-name
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'FQDN'"
+
+ # Indicator type: IP Address
+ - set:
+ field: threat.indicator.ip
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'"
+ ignore_empty_value: true
+
+ - set:
+ field: threat.indicator.type
+ value: ipv4-addr
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IP Address'"
+
+ # Indicator type: IPv6 Address
+ - set:
+ field: threat.indicator.domain
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: ipv6-addr
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'IPv6 Address'"
+
+ # Indicator type: MD5
+ - set:
+ field: threat.indicator.file.hash.md5
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'MD5'"
+
+ # Indicator type: SHA-1
+ - set:
+ field: threat.indicator.file.hash.sha1
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-1'"
+
+ # Indicator type: SHA-256
+ - set:
+ field: threat.indicator.file.hash.sha256
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-256'"
+
+ # Indicator type: SHA-512
+ - set:
+ field: threat.indicator.file.hash.sha512
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'"
+ ignore_empty_value: true
+ - set:
+ field: threat.indicator.type
+ value: file
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'SHA-512'"
+
+ # Indicator type: URL
+ - uri_parts:
+ field: threatq.indicator_value
+ target_field: threat.indicator.url
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL' && ctx.threatq?.indicator_value != null"
+ remove_if_successful: true
+ - set:
+ field: threat.indicator.type
+ value: url
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'URL'"
+
+ # Indicator type: x509 Serial
+ - set:
+ field: threat.indicator.x509.serial_number
+ copy_from: threatq.indicator_value
+ if: "ctx.threat?.indicator?.type != null && ctx.threat?.indicator?.type == 'x509 Serial'"
+ ignore_empty_value: true
+
+ ###################################
+ # Map indicator providers and TLP #
+ ###################################
+ - script:
+ if: "ctx.json?.sources != null && ctx.json?.sources instanceof List && ctx.json?.sources.size() > 0"
+ lang: painless
+ description: "Extract TLP and providers from source"
+ source: |-
+ def providers = new ArrayList();
+ def tlps = new ArrayList();
+ for (source in ctx.json.sources) {
+ if (source == null) {
+ return;
+ }
+ if (source.containsKey("provider") && source["provider"] != null) {
+ providers.add(source["provider"]);
+ }
+ if (source.containsKey("tlp_name") && source["tlp_name"] != null) {
+ tlps.add(source["tlp_name"]);
+ }
+ }
+ if (tlps.size() > 0) {
+ if (ctx.threat.indicator.marking == null) {
+ ctx.threat.indicator.marking = new HashMap();
+ }
+ ctx.threat.indicator.marking.tlp = tlps;
+ }
+ if (providers.size() > 0) {
+ if (ctx.threat.indicator.provider == null) {
+ ctx.threat.indicator.provider = new HashMap();
+ }
+ ctx.threat.indicator.provider = providers;
+ }
+
+ ############################
+ # Map indicator attributes #
+ ############################
+ - foreach:
+ description: Change attribute names to lowercase
+ field: json.attributes
+ ignore_missing: true
+ processor:
+ lowercase:
+ field: "_ingest._value.name"
+ - foreach:
+ description: Replaces spaces with underscore in attribute names
+ field: json.attributes
+ ignore_missing: true
+ processor:
+ gsub:
+ field: "_ingest._value.name"
+ pattern: " "
+ replacement: "_"
+ - foreach:
+ description: Append attributes
+ field: json.attributes
+ ignore_missing: true
+ processor:
+ append:
+ field: threatq.attributes.{{{ _ingest._value.name }}}
+ value: "{{{ _ingest._value.value }}}"
+
+ #############################
+ # Map indicator adversaries #
+ #############################
+ - foreach:
+ field: json.adversaries
+ ignore_missing: true
+ processor:
+ append:
+ field: threatq.adversaries
+ value: "{{{ _ingest._value.name }}}"
+
+ ######################
+ # Cleanup processors #
+ ######################
+ # Setting indicator type to unknown if it does not match anything
+ - set:
+ field: threat.indicator.type
+ value: unknown
+ if: ctx.threat?.indicator?.type == null
+ - script:
+ lang: painless
+ if: ctx.threat != null
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+
+ # Removing fields not needed anymore, either because its copied somewhere else, or is not relevant to this event
+ - remove:
+ field:
+ - json
+ - message
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/fields/agent.yml b/packages/ti_threatq/1.2.2/data_stream/threat/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/1.2.2/data_stream/threat/fields/base-fields.yml
new file mode 100755
index 0000000000..701a58f151
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,28 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: ti_threatq
+- name: threat.feed.name
+ type: constant_keyword
+ description: Display friendly feed name
+ value: ThreatQuotient
+- name: threat.feed.dashboard_id
+ type: constant_keyword
+ description: Dashboard ID used for Kibana CTI UI
+ value: ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: ti_threatq.threat
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/fields/beats.yml b/packages/ti_threatq/1.2.2/data_stream/threat/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/fields/ecs.yml b/packages/ti_threatq/1.2.2/data_stream/threat/fields/ecs.yml
new file mode 100755
index 0000000000..fc1ccd5f4a
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,172 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- name: threat.feed.name
+ type: keyword
+- description: The date and time when intelligence source first reported sighting this indicator.
+ name: threat.indicator.first_seen
+ type: date
+- description: The date and time when intelligence source last reported sighting this indicator.
+ name: threat.indicator.last_seen
+ type: date
+- description: |-
+ Type of indicator as represented by Cyber Observable in STIX 2.0.
+ Recommended values:
+ * autonomous-system
+ * artifact
+ * directory
+ * domain-name
+ * email-addr
+ * file
+ * ipv4-addr
+ * ipv6-addr
+ * mac-addr
+ * mutex
+ * port
+ * process
+ * software
+ * url
+ * user-account
+ * windows-registry-key
+ * x509-certificate
+ name: threat.indicator.type
+ type: keyword
+- description: Describes the type of action conducted by the threat.
+ name: threat.indicator.description
+ type: keyword
+- description: |-
+ Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+ Expected values are:
+ * Not Specified
+ * None
+ * Low
+ * Medium
+ * High
+ name: threat.indicator.confidence
+ type: keyword
+- description: Identifies a threat indicator as an IP address (irrespective of direction).
+ name: threat.indicator.ip
+ type: ip
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: threat.indicator.url.domain
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.full
+ type: wildcard
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: threat.indicator.url.extension
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: threat.indicator.url.original
+ type: wildcard
+- description: Path of the request, such as "/search".
+ name: threat.indicator.url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: threat.indicator.url.port
+ type: long
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: threat.indicator.url.scheme
+ type: keyword
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: threat.indicator.url.query
+ type: keyword
+- description: Identifies a threat indicator as an email address (irrespective of direction).
+ name: threat.indicator.email.address
+ type: keyword
+- description: The name of the indicator's provider.
+ name: threat.indicator.provider
+ type: keyword
+- description: MD5 hash.
+ name: threat.indicator.file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: threat.indicator.file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: threat.indicator.file.hash.sha256
+ type: keyword
+- description: SHA512 hash.
+ name: threat.indicator.file.hash.sha512
+ type: keyword
+- description: |-
+ Traffic Light Protocol sharing markings.
+ Recommended values are:
+ * WHITE
+ * GREEN
+ * AMBER
+ * RED
+ name: threat.indicator.marking.tlp
+ type: keyword
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/fields/fields.yml b/packages/ti_threatq/1.2.2/data_stream/threat/fields/fields.yml
new file mode 100755
index 0000000000..d22e23df8b
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/fields/fields.yml
@@ -0,0 +1,51 @@
+- name: threatq
+ type: group
+ description: >
+ Fields for ThreatQ indicators
+
+ fields:
+ - name: updated_at
+ type: date
+ description: >
+ Last modification time
+
+ - name: created_at
+ type: date
+ description: >
+ Object creation time
+
+ - name: expires_at
+ type: date
+ description: >
+ Expiration time
+
+ - name: expires_calculated_at
+ type: date
+ description: >
+ Expiration calculation time
+
+ - name: published_at
+ type: date
+ description: >
+ Object publication time
+
+ - name: status
+ type: keyword
+ description: >
+ Object status within the Threat Library
+
+ - name: indicator_value
+ type: keyword
+ description: >
+ Original indicator value
+
+ - name: adversaries
+ type: keyword
+ description: >
+ Adversaries that are linked to the object
+
+ - name: attributes
+ type: flattened
+ description: >
+ These provide additional context about an object
+
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/manifest.yml b/packages/ti_threatq/1.2.2/data_stream/threat/manifest.yml
new file mode 100755
index 0000000000..060ab47162
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/manifest.yml
@@ -0,0 +1,100 @@
+type: logs
+title: ThreatQ
+streams:
+ - input: httpjson
+ vars:
+ - name: host
+ type: text
+ title: ThreatQ hostname
+ multi: false
+ required: true
+ show_user: true
+ default: https://threatqexample.com
+ description: The hostname of the ThreatQ instance.
+ - name: client_id
+ type: text
+ title: ThreatQ Oauth2 Client ID
+ multi: false
+ required: true
+ show_user: true
+ description: The Client ID used to access the ThreatQ instance.
+ - name: client_secret
+ type: password
+ title: ThreatQ Oauth2 Client Secret
+ multi: false
+ required: true
+ show_user: true
+ description: The Client ID used to access the ThreatQ instance.
+ - name: token_url
+ type: text
+ title: ThreatQ Oauth2 Token URL
+ multi: false
+ required: true
+ show_user: true
+ description: The Token URL used for Oauth2 Authentication.
+ default: https://threatqexample.com/api/token
+ - name: data_collection_id
+ type: text
+ title: ThreatQ Collection ID
+ multi: false
+ required: true
+ show_user: true
+ description: The ID of the collection to retrieve data from.
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: false
+ default: 30s
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 10m
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #verification_mode: none
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - threatq-threat
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: ThreatQuotient
+ description: Collect indicators from the ThreatQuotient API
diff --git a/packages/ti_threatq/1.2.2/data_stream/threat/sample_event.json b/packages/ti_threatq/1.2.2/data_stream/threat/sample_event.json
new file mode 100755
index 0000000000..297ddb6dd4
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/data_stream/threat/sample_event.json
@@ -0,0 +1,66 @@
+{
+ "@timestamp": "2021-10-01T18:36:03.000Z",
+ "agent": {
+ "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8",
+ "id": "394964aa-5974-455c-bea7-5c0b89b470bd",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_threatq.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "394964aa-5974-455c-bea7-5c0b89b470bd",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T09:27:35.244Z",
+ "dataset": "ti_threatq.threat",
+ "ingested": "2022-04-11T09:27:36Z",
+ "kind": "enrichment",
+ "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "threatq-threat"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "None",
+ "ip": "107.189.1.90",
+ "type": "ipv4-addr"
+ }
+ },
+ "threatq": {
+ "attributes": {
+ "contact": [
+ "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca"
+ ],
+ "flags": [
+ "ERDV"
+ ],
+ "router_port": [
+ "9000"
+ ]
+ },
+ "created_at": "2021-10-01T18:36:03.000Z",
+ "expires_calculated_at": "2021-10-23T18:40:17.000Z",
+ "indicator_value": "107.189.1.90",
+ "published_at": "2021-10-01T18:36:03.000Z",
+ "status": "Active"
+ }
+}
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/docs/README.md b/packages/ti_threatq/1.2.2/docs/README.md
new file mode 100755
index 0000000000..822712d08a
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/docs/README.md
@@ -0,0 +1,172 @@
+# ThreatQuotient Integration
+
+The ThreatQuotient integration uses the available REST API to retrieve indicators and Threat Intelligence.
+
+## Logs
+
+### Threat
+
+The ThreatQ integration requires you to set a valid URL, combination of Oauth2 credentials and the ID of the collection to retrieve
+indicators from.
+By default the indicators will be collected every 1 minute, and deduplication is handled by the API itself.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
+| threat.feed.name | | keyword |
+| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are: \* Not Specified \* None \* Low \* Medium \* High | keyword |
+| threat.indicator.description | Describes the type of action conducted by the threat. | keyword |
+| threat.indicator.email.address | Identifies a threat indicator as an email address (irrespective of direction). | keyword |
+| threat.indicator.file.hash.md5 | MD5 hash. | keyword |
+| threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
+| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword |
+| threat.indicator.file.hash.sha512 | SHA512 hash. | keyword |
+| threat.indicator.first_seen | The date and time when intelligence source first reported sighting this indicator. | date |
+| threat.indicator.ip | Identifies a threat indicator as an IP address (irrespective of direction). | ip |
+| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date |
+| threat.indicator.marking.tlp | Traffic Light Protocol sharing markings. Recommended values are: \* WHITE \* GREEN \* AMBER \* RED | keyword |
+| threat.indicator.provider | The name of the indicator's provider. | keyword |
+| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword |
+| threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| threat.indicator.url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| threat.indicator.url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| threat.indicator.url.full.text | Multi-field of `threat.indicator.url.full`. | match_only_text |
+| threat.indicator.url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| threat.indicator.url.original.text | Multi-field of `threat.indicator.url.original`. | match_only_text |
+| threat.indicator.url.path | Path of the request, such as "/search". | wildcard |
+| threat.indicator.url.port | Port of the request, such as 443. | long |
+| threat.indicator.url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| threat.indicator.url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| threatq.adversaries | Adversaries that are linked to the object | keyword |
+| threatq.attributes | These provide additional context about an object | flattened |
+| threatq.created_at | Object creation time | date |
+| threatq.expires_at | Expiration time | date |
+| threatq.expires_calculated_at | Expiration calculation time | date |
+| threatq.indicator_value | Original indicator value | keyword |
+| threatq.published_at | Object publication time | date |
+| threatq.status | Object status within the Threat Library | keyword |
+| threatq.updated_at | Last modification time | date |
+
+
+An example event for `threat` looks as following:
+
+```json
+{
+ "@timestamp": "2021-10-01T18:36:03.000Z",
+ "agent": {
+ "ephemeral_id": "12c946b4-2bf4-4d07-8aec-d28310ed16c8",
+ "id": "394964aa-5974-455c-bea7-5c0b89b470bd",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "ti_threatq.threat",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "394964aa-5974-455c-bea7-5c0b89b470bd",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-04-11T09:27:35.244Z",
+ "dataset": "ti_threatq.threat",
+ "ingested": "2022-04-11T09:27:36Z",
+ "kind": "enrichment",
+ "original": "{\"adversaries\":[],\"attributes\":[{\"attribute_id\":5,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893068,\"indicator_id\":106767,\"name\":\"Contact\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca\"},{\"attribute_id\":9,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893069,\"indicator_id\":106767,\"name\":\"Router Port\",\"touched_at\":\"2021-10-24 18:36:10\",\"updated_at\":\"2021-10-24 18:36:10\",\"value\":\"9000\"},{\"attribute_id\":6,\"created_at\":\"2021-10-01 18:36:06\",\"id\":4893070,\"indicator_id\":106767,\"name\":\"Flags\",\"touched_at\":\"2021-10-02 18:36:08\",\"updated_at\":\"2021-10-02 18:36:08\",\"value\":\"ERDV\"}],\"class\":\"network\",\"created_at\":\"2021-10-01 18:36:03\",\"expires_calculated_at\":\"2021-10-23 18:40:17\",\"hash\":\"69beef49fdbd1f54eef3cab324c7b6cf\",\"id\":106767,\"published_at\":\"2021-10-01 18:36:03\",\"score\":0,\"sources\":[{\"created_at\":\"2021-10-01 18:36:06\",\"creator_source_id\":12,\"id\":3699669,\"indicator_id\":106767,\"indicator_status_id\":1,\"indicator_type_id\":15,\"name\":\"www.dan.me.uk Tor Node List\",\"published_at\":\"2021-10-01 18:36:06\",\"reference_id\":37,\"source_id\":12,\"source_type\":\"connectors\",\"updated_at\":\"2021-10-24 18:36:10\"}],\"status\":{\"description\":\"Poses a threat and is being exported to detection tools.\",\"id\":1,\"name\":\"Active\"},\"status_id\":1,\"touched_at\":\"2021-10-24 18:36:10\",\"type\":{\"class\":\"network\",\"id\":15,\"name\":\"IP Address\"},\"type_id\":15,\"updated_at\":\"2021-10-01 18:36:03\",\"value\":\"107.189.1.90\"}",
+ "type": "indicator"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "threatq-threat"
+ ],
+ "threat": {
+ "indicator": {
+ "confidence": "None",
+ "ip": "107.189.1.90",
+ "type": "ipv4-addr"
+ }
+ },
+ "threatq": {
+ "attributes": {
+ "contact": [
+ "email:Quetzalcoatl_relays[]protonmail.com url:https://quetzalcoatl-relays.org proof:uri-rsa hoster:frantech.ca"
+ ],
+ "flags": [
+ "ERDV"
+ ],
+ "router_port": [
+ "9000"
+ ]
+ },
+ "created_at": "2021-10-01T18:36:03.000Z",
+ "expires_calculated_at": "2021-10-23T18:40:17.000Z",
+ "indicator_value": "107.189.1.90",
+ "published_at": "2021-10-01T18:36:03.000Z",
+ "status": "Active"
+ }
+}
+```
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/img/threatq.svg b/packages/ti_threatq/1.2.2/img/threatq.svg
new file mode 100755
index 0000000000..0da7d32522
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/img/threatq.svg
@@ -0,0 +1,6 @@
+
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json
new file mode 100755
index 0000000000..f4adcae2b5
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848.json
@@ -0,0 +1,112 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about indicators ingested from the ThreatQ integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n**[ThreatQ Overview (This Page)](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is a health overview related to the ThreatQ integration.\\n\\nThe dashboard is made to provide general statistics and show the health of the ingestion of indicators from ThreatQ. \\n\\nIt shows the ingestion rates (by default it fetches new updates every 10 minutes) and provides a few filters for drilling down to specific indicator types retrieved from ThreatQ.\",\"openLinksInNewTab\":false},\"title\":\"Overview Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"555e9e6c-04e9-4022-b6df-bda07dde30c4\",\"title\":\"Overview Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":[\"ti_abusech.malware\",\"ti_abusech.malwarebazaar\",\"ti_abusech.url\"],\"type\":\"phrases\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malware\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.malwarebazaar\"}},{\"match_phrase\":{\"event.dataset\":\"ti_abusech.url\"}}]}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"controls\":[{\"fieldName\":\"data_stream.dataset\",\"id\":\"1635779550157\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern\",\"label\":\"Feed Name\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.provider\",\"id\":\"1635779603363\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern\",\"label\":\"Indicator Provider\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"threat.indicator.type\",\"id\":\"1635779625911\",\"indexPatternRefName\":\"control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern\",\"label\":\"Indicator Type\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Feed and Indicator Selector [Logs AbuseCH]\",\"type\":\"input_control_vis\",\"uiState\":{}}},\"gridData\":{\"h\":7,\"i\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"w\":41,\"x\":7,\"y\":0},\"panelIndex\":\"e971fedd-6afd-4d03-93ac-d0c751acc254\",\"title\":\"Feed and Indicator Selector [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-1d376820-3b22-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"070f5dbc-7687-4e97-9a57-5542b401c13f\":{\"columnOrder\":[\"1e352b49-3b83-44a6-98fe-8703d30f2517\"],\"columns\":{\"1e352b49-3b83-44a6-98fe-8703d30f2517\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Indicators\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"1e352b49-3b83-44a6-98fe-8703d30f2517\",\"layerId\":\"070f5dbc-7687-4e97-9a57-5542b401c13f\",\"layerType\":\"data\"}},\"title\":\"Total Indicators [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"w\":6,\"x\":7,\"y\":7},\"panelIndex\":\"d37eb797-f273-43c2-9004-b947891cce55\",\"title\":\"Total Indicators [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-49830790-3b27-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"df8e3a91-700b-428a-a763-525076e4d3c8\":{\"columnOrder\":[\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\"],\"columns\":{\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total Datastreams\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"e4f78e2f-f0a7-4cc6-96d0-af607ffbf326\",\"layerId\":\"df8e3a91-700b-428a-a763-525076e4d3c8\",\"layerType\":\"data\"}},\"title\":\"Total Datastreams [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"w\":6,\"x\":7,\"y\":15},\"panelIndex\":\"6509dcc9-bb9c-4c1f-80e9-612f67ada340\",\"title\":\"Total Datastreams [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-ec1a2c50-3b30-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\":{\"columnOrder\":[\"66779b74-d127-4249-93e4-b8cd9c39b91f\",\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"columns\":{\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"66779b74-d127-4249-93e4-b8cd9c39b91f\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.provider\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.provider\"}}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"2bbd31c6-4a58-43e5-bab9-de9e7c2d2242\"],\"layerId\":\"1e757dc0-2e6d-4bd2-aa38-7da9133ca960\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"66779b74-d127-4249-93e4-b8cd9c39b91f\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\",\"showSingleSeries\":false},\"preferredSeriesType\":\"bar_horizontal\",\"title\":\"Empty XY chart\",\"valueLabels\":\"inside\",\"xTitle\":\"Providers\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Count\"}},\"title\":\"Total Indicators per Provider [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"w\":23,\"x\":13,\"y\":7},\"panelIndex\":\"86d83606-4176-44b1-b3f3-011d5b5b4b58\",\"title\":\"Total Indicators per Provider [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-62801870-3b2a-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"682732d8-8691-4c5a-bf89-de8e30d71dfb\":{\"columnOrder\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\",\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\"],\"columns\":{\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"dd629c44-e7db-438e-8656-340b94fd30d8\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Indicators\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"dd629c44-e7db-438e-8656-340b94fd30d8\"],\"layerId\":\"682732d8-8691-4c5a-bf89-de8e30d71dfb\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"legendPosition\":\"right\",\"metric\":\"bad802d8-b23f-4ef4-8dcf-4e92170595a7\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2,\"truncateLegend\":true}],\"shape\":\"donut\"}},\"title\":\"Total Indicators per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"w\":12,\"x\":36,\"y\":7},\"panelIndex\":\"f654c447-12d2-41a4-9091-06169af11ba5\",\"title\":\"Total Indicators per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-8c0613c0-3b25-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\":{\"columnOrder\":[\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\",\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"columns\":{\"0726d151-9edf-41cb-ab52-473ab27cf8b7\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"4d7ca99c-8a53-4a7f-96db-409251c0e391\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of event.dataset\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0726d151-9edf-41cb-ab52-473ab27cf8b7\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"event.dataset\"},\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"30s\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"curveType\":\"CURVE_MONOTONE_X\",\"fittingFunction\":\"Zero\",\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0726d151-9edf-41cb-ab52-473ab27cf8b7\"],\"layerId\":\"c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"splitAccessor\":\"4d7ca99c-8a53-4a7f-96db-409251c0e391\",\"xAccessor\":\"b7f07f7c-1477-4f83-95f5-ad5cdc3a314b\"}],\"legend\":{\"isInside\":false,\"isVisible\":true,\"position\":\"bottom\",\"shouldTruncate\":false,\"showSingleSeries\":true},\"preferredSeriesType\":\"line\",\"title\":\"Empty XY chart\",\"valueLabels\":\"hide\",\"valuesInLegend\":false,\"xTitle\":\"Date\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"yTitle\":\"Total Indicators\"}},\"title\":\"Indicators ingested per Datastream [Logs AbuseCH]\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"w\":41,\"x\":7,\"y\":23},\"panelIndex\":\"aab4fac0-d39c-4521-aa9b-0a49d5938e9e\",\"title\":\"Indicators ingested per Datastream [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs ThreatQ] Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e971fedd-6afd-4d03-93ac-d0c751acc254:control_e971fedd-6afd-4d03-93ac-d0c751acc254_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d37eb797-f273-43c2-9004-b947891cce55:indexpattern-datasource-layer-070f5dbc-7687-4e97-9a57-5542b401c13f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6509dcc9-bb9c-4c1f-80e9-612f67ada340:indexpattern-datasource-layer-df8e3a91-700b-428a-a763-525076e4d3c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "86d83606-4176-44b1-b3f3-011d5b5b4b58:indexpattern-datasource-layer-1e757dc0-2e6d-4bd2-aa38-7da9133ca960",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f654c447-12d2-41a4-9091-06169af11ba5:indexpattern-datasource-layer-682732d8-8691-4c5a-bf89-de8e30d71dfb",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "aab4fac0-d39c-4521-aa9b-0a49d5938e9e:indexpattern-datasource-layer-c1cee622-e3dd-4d6b-a28a-0fb19dc2c7b7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json
new file mode 100755
index 0000000000..0fa3fc0ee3
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848.json
@@ -0,0 +1,102 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about file type indicators from the ThreatQ integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"enrichment\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"enrichment\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"file\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"file\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ Files (This Page)](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848)** \\n[ThreatQ URLs](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848) \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: file**.\\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like hash type counters, popular domains, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"Files Navigation Textbox [Logs AbuseCH]\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":27,\"i\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"09ba3dc0-e2e2-4799-b47f-bb919bf290a1\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-2e2257a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\":{\"columnOrder\":[\"8622e147-406f-4711-8f68-e2425614106e\"],\"columns\":{\"8622e147-406f-4711-8f68-e2425614106e\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique File types\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.type\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"8622e147-406f-4711-8f68-e2425614106e\",\"layerId\":\"98786f76-dac4-4fc7-9cad-8bfce17bd00d\",\"layerType\":\"data\"}},\"title\":\"Unique File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"31ea16d1-7591-42a7-b773-6fca00e5db14\",\"title\":\"Unique File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-d888e3e0-3b38-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b83c382d-fab9-4e60-a632-475e221cc20c\":{\"columnOrder\":[\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\"],\"columns\":{\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique MD5\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.md5\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"eda3c6d9-dacb-4e5e-b977-50104f76e91a\",\"layerId\":\"b83c382d-fab9-4e60-a632-475e221cc20c\",\"layerType\":\"data\"}},\"title\":\"Unique MD5 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98\",\"title\":\"Unique MD5 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-28549810-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"85ad73b3-3b76-49f1-ad20-6256b58918f8\":{\"columnOrder\":[\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\"],\"columns\":{\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA1\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha1\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"289bd005-bdd2-4f3b-83b9-ad6ae52a9ed3\",\"layerId\":\"85ad73b3-3b76-49f1-ad20-6256b58918f8\",\"layerType\":\"data\"}},\"title\":\"Unique SHA1 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"w\":6,\"x\":26,\"y\":0},\"panelIndex\":\"e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea\",\"title\":\"Unique SHA1 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-5d6111a0-3b39-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49b7070a-f1d3-46e1-a980-2f6d6d130167\":{\"columnOrder\":[\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\"],\"columns\":{\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique SHA256\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.file.hash.sha256\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"b6c5e221-88ff-490e-bd3e-188b3e0dd1f4\",\"layerId\":\"49b7070a-f1d3-46e1-a980-2f6d6d130167\",\"layerType\":\"data\"}},\"title\":\"Unique SHA256 [Logs AbuseCH]\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"w\":6,\"x\":32,\"y\":0},\"panelIndex\":\"93e32abe-87e3-469e-b7e9-a7ef7dfa2cce\",\"title\":\"Unique SHA256 [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"ti_abusech-4ee4a490-3b37-11ec-ae50-2fdf1e96c6a6\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\":{\"columnOrder\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\",\"de0e531b-dda7-461f-9783-3ab9267d202e\"],\"columns\":{\"06b603cb-c9fb-493a-9ca4-e6502ca12054\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.file.type\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.type\"},\"de0e531b-dda7-461f-9783-3ab9267d202e\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"06b603cb-c9fb-493a-9ca4-e6502ca12054\"],\"layerId\":\"222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"de0e531b-dda7-461f-9783-3ab9267d202e\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"File Types [Logs AbuseCH]\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"w\":19,\"x\":7,\"y\":8},\"panelIndex\":\"5f1d0cf1-c331-4495-99d5-5e80d023c482\",\"title\":\"File Types [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674\",\"type\":\"index-pattern\"}],\"sharingSavedObjectProps\":{\"outcome\":\"exactMatch\",\"sourceId\":\"2d0c0ec0-3bbf-11ec-ae8c-7d00429ad420\"},\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"06d9ac79-2055-437e-892c-de9ee07fe674\":{\"columnOrder\":[\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"df062557-78a5-4a78-93f1-34583c809bc3\"],\"columns\":{\"35f5321a-27f4-4076-9d1d-d326187f4689\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"File Names\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.file.name\"},\"df062557-78a5-4a78-93f1-34583c809bc3\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"35f5321a-27f4-4076-9d1d-d326187f4689\",\"isTransposed\":false},{\"columnId\":\"df062557-78a5-4a78-93f1-34583c809bc3\",\"isTransposed\":false}],\"layerId\":\"06d9ac79-2055-437e-892c-de9ee07fe674\",\"layerType\":\"data\"}},\"title\":\"Most popular file names [Logs AbuseCH]\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":19,\"i\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"w\":21,\"x\":26,\"y\":8},\"panelIndex\":\"b733385b-14f8-4469-b777-86d0139cc56b\",\"title\":\"Most popular file names [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs ThreatQ] Files",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "31ea16d1-7591-42a7-b773-6fca00e5db14:indexpattern-datasource-layer-98786f76-dac4-4fc7-9cad-8bfce17bd00d",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4d3e11dc-c4cc-4373-bb83-3d39fe6ffa98:indexpattern-datasource-layer-b83c382d-fab9-4e60-a632-475e221cc20c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9b6f0ad-5e6b-44da-923e-dc0d5ccfdfea:indexpattern-datasource-layer-85ad73b3-3b76-49f1-ad20-6256b58918f8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "93e32abe-87e3-469e-b7e9-a7ef7dfa2cce:indexpattern-datasource-layer-49b7070a-f1d3-46e1-a980-2f6d6d130167",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5f1d0cf1-c331-4495-99d5-5e80d023c482:indexpattern-datasource-layer-222b3ad0-2e5d-46a0-ae3d-f6a0b15ac2c8",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b733385b-14f8-4469-b777-86d0139cc56b:indexpattern-datasource-layer-06d9ac79-2055-437e-892c-de9ee07fe674",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json
new file mode 100755
index 0000000000..1b50c92265
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/kibana/dashboard/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848.json
@@ -0,0 +1,97 @@
+{
+ "attributes": {
+ "description": "Dashboard providing statistics about URL type indicators from the ThreatQ integration",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"threat.indicator.type\",\"negate\":false,\"params\":{\"query\":\"url\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"threat.indicator.type\":\"url\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"ti_threatq.threat\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"ti_threatq.threat\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"**Navigation**\\n\\n[ThreatQ Overview ](/app/dashboards#/view/ti_threatq-a05fd810-78f1-11ec-a97c-7db1518ab848) \\n[ThreatQ Files](/app/dashboards#/view/ti_threatq-ab289de0-78f1-11ec-a97c-7db1518ab848) \\n**[ThreatQ URLs (This Page)](/app/dashboards#/view/ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848)** \\n\\n[Integrations Page](/app/integrations/detail/ti_threatq/overview)\\n\\n\\n**Overview**\\n\\nThis dashboard is an overview of the different threat intelligence indicators with a **threat.indicator.type: url**. \\n\\nThe dashboard is made to provide general statistics and show the health of your indicators like popular domains, file extensions, statistics about how many unique indicators are ingested and other relevant information.\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":39,\"i\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"w\":7,\"x\":0,\"y\":0},\"panelIndex\":\"4c3ed6e1-8b4e-4eab-8d84-70ed4f506216\",\"title\":\"Files Navigation Textbox [Logs ThreatQ]\",\"type\":\"visualization\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"88a112e1-6da1-49d3-9177-19f98280c200\":{\"columnOrder\":[\"604f1693-15a6-437d-af69-03588db8e471\"],\"columns\":{\"604f1693-15a6-437d-af69-03588db8e471\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Ports\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"604f1693-15a6-437d-af69-03588db8e471\",\"layerId\":\"88a112e1-6da1-49d3-9177-19f98280c200\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"w\":6,\"x\":7,\"y\":0},\"panelIndex\":\"c7c6e8dc-b649-434c-9650-8a1564d4d676\",\"title\":\"Unique Ports [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"a6fa56f8-32fa-405d-8771-dade4fe75d62\":{\"columnOrder\":[\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\"],\"columns\":{\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Extensions\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.extension\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"848c463b-bbc1-4b6a-af3e-76d844eb3cc5\",\"layerId\":\"a6fa56f8-32fa-405d-8771-dade4fe75d62\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"w\":6,\"x\":13,\"y\":0},\"panelIndex\":\"73a752f9-bde5-4396-8ede-e9e77a37182d\",\"title\":\"Unique File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9fa49c4c-5544-472d-afce-e51d6a5687fe\":{\"columnOrder\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\"],\"columns\":{\"15e2b5ad-2040-4253-89a6-60f085c66f86\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.extension\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.extension\"},\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"15e2b5ad-2040-4253-89a6-60f085c66f86\",\"15e2b5ad-2040-4253-89a6-60f085c66f86\"],\"layerId\":\"9fa49c4c-5544-472d-afce-e51d6a5687fe\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"b9a631fe-5f49-4db2-a076-bcbf5410aec9\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":31,\"i\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"fda93ed1-72f0-4489-80b7-9e69d14f30aa\",\"title\":\"Most Popular File Extensions [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"c94400ee-a135-4a99-9693-5879d29f7aad\":{\"columnOrder\":[\"2934249f-fce5-4637-87ff-d2596d1b6ec5\"],\"columns\":{\"2934249f-fce5-4637-87ff-d2596d1b6ec5\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Unique Domains\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"accessor\":\"2934249f-fce5-4637-87ff-d2596d1b6ec5\",\"layerId\":\"c94400ee-a135-4a99-9693-5879d29f7aad\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsMetric\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"w\":6,\"x\":19,\"y\":0},\"panelIndex\":\"02f1732b-a981-4fba-8b27-b944f2f3c98c\",\"title\":\"Unique Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0f63318a-a857-4d83-89ce-a94e2242b79e\":{\"columnOrder\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\",\"77a48096-02aa-4b7a-8a7b-131fc38988bd\"],\"columns\":{\"77a48096-02aa-4b7a-8a7b-131fc38988bd\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"df0791a6-247c-4434-a43a-fdea7577ca34\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of threat.indicator.url.scheme\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.scheme\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"df0791a6-247c-4434-a43a-fdea7577ca34\"],\"layerId\":\"0f63318a-a857-4d83-89ce-a94e2242b79e\",\"layerType\":\"data\",\"legendDisplay\":\"show\",\"metric\":\"77a48096-02aa-4b7a-8a7b-131fc38988bd\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"w\":18,\"x\":7,\"y\":8},\"panelIndex\":\"ab7ab31c-e76f-4613-b17d-fdd909f17e0d\",\"title\":\"Percentage of URL Schema used [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"db89074c-e1fe-4091-bdb1-e42a36e82bac\":{\"columnOrder\":[\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\"],\"columns\":{\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Domains\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"threat.indicator.url.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"columns\":[{\"columnId\":\"7ca1ac0b-2060-4431-a4b9-ec470af4448c\",\"isTransposed\":false},{\"columnId\":\"b284ea2a-a2cd-4d08-bf44-fc73c08b5694\",\"isTransposed\":false}],\"layerId\":\"db89074c-e1fe-4091-bdb1-e42a36e82bac\",\"layerType\":\"data\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsDatatable\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":16,\"i\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"w\":18,\"x\":7,\"y\":23},\"panelIndex\":\"8994501a-1550-4cf2-857f-d6b6491ffb62\",\"title\":\"Most Popular Domains [Logs ThreatQ]\",\"type\":\"lens\",\"version\":\"8.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Logs ThreatQ] URLs",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_threatq-b45b0c40-78f1-11ec-a97c-7db1518ab848",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c7c6e8dc-b649-434c-9650-8a1564d4d676:indexpattern-datasource-layer-88a112e1-6da1-49d3-9177-19f98280c200",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "73a752f9-bde5-4396-8ede-e9e77a37182d:indexpattern-datasource-layer-a6fa56f8-32fa-405d-8771-dade4fe75d62",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fda93ed1-72f0-4489-80b7-9e69d14f30aa:indexpattern-datasource-layer-9fa49c4c-5544-472d-afce-e51d6a5687fe",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "02f1732b-a981-4fba-8b27-b944f2f3c98c:indexpattern-datasource-layer-c94400ee-a135-4a99-9693-5879d29f7aad",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ab7ab31c-e76f-4613-b17d-fdd909f17e0d:indexpattern-datasource-layer-0f63318a-a857-4d83-89ce-a94e2242b79e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8994501a-1550-4cf2-857f-d6b6491ffb62:indexpattern-datasource-layer-db89074c-e1fe-4091-bdb1-e42a36e82bac",
+ "type": "index-pattern"
+ },
+ {
+ "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "name": "tag-ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json b/packages/ti_threatq/1.2.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json
new file mode 100755
index 0000000000..be8a15d6e9
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/kibana/tag/ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848.json
@@ -0,0 +1,14 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "",
+ "name": "ThreatQ"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "ti_threatq-c0cca010-78f1-11ec-a97c-7db1518ab848",
+ "migrationVersion": {
+ "tag": "8.0.0"
+ },
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/ti_threatq/1.2.2/manifest.yml b/packages/ti_threatq/1.2.2/manifest.yml
new file mode 100755
index 0000000000..5001710993
--- /dev/null
+++ b/packages/ti_threatq/1.2.2/manifest.yml
@@ -0,0 +1,26 @@
+name: ti_threatq
+title: ThreatQuotient
+version: 1.2.2
+release: ga
+description: This Elastic integration collects threat intelligence from ThreatQuotient
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^8.0.0
+icons:
+ - src: /img/threatq.svg
+ title: ThreatQuotient
+ size: 600x600
+ type: image/svg+xml
+policy_templates:
+ - name: ti_threatq
+ title: ThreatQuotient
+ description: Collect threat intelligence from the ThreatQuotient API.
+ inputs:
+ - type: httpjson
+ title: "Collect threat intelligence from the ThreatQuotient API."
+ description: "Collect threat intelligence from the ThreatQuotient API."
+owner:
+ github: elastic/security-external-integrations